KR20210038285A - Apparatus and method for managing integrated storage supporting hierachical structure - Google Patents

Abstract

Disclosed are a device and method for managing a hierarchical structure support combined storage. The device for managing the hierarchical structure support combined storage according to one embodiment of the present invention comprises: one or more processors; and an executable memory for storing at least one program to be executed by the one or more processors. The at least one program tiers public cloud storage and storages included in on-premises storage according to storage characteristics, stores data in tiered storages according to the storage characteristics, and stores data in tiered storages according to the characteristics of the data. Therefore, the present invention is capable of fundamentally blocking the leakage of sensitive data.

Description

Hierarchical structure support integrated storage management device and method {APPARATUS AND METHOD FOR MANAGING INTEGRATED STORAGE SUPPORTING HIERACHICAL STRUCTURE}

The present invention relates to an integrated storage management technology supporting a hierarchical structure, and more particularly, to an integrated storage management technology supporting a hierarchical structure of storage of cloud storage and non-cloud storage in a cloud computing environment.

Currently, technology development and market demand for cloud computing that users want to use by borrowing services without time and place constraints is increasing. Cloud computing can provide network, storage, and computing services desired by users through the Internet without having to build dedicated HW and SW for each user.

In the case of a storage system related to a data storage service among cloud computing technologies, a user can simply request data storage through a secure and convenient service interface provided by the system. At this time, a cloud integrated storage system is being developed in which data is stored in a single type of storage in which on-premises-public cloud storage is integrated.

In particular, the cloud unified storage system integrates and manages and operates a single form of on-premises-public storage that can take advantage of both on-premise storage owned by companies and organizations and public cloud storage provided by cloud providers. I can.

The cloud integrated storage system can provide a converged storage infrastructure service that secures elasticity and cost efficiency of storage space and guarantees control and reliability of sensitive data through a single form of on-premises-public storage.

Through this, the cloud integrated storage system can create new business and expand the convenience of using cloud services for use in various fields.

Looking at the trend of the conventional similar system is as follows.

In order to support the operation of'IDC 3rd Platform (real-time analysis, IoT, AI computing)', requirements to build and introduce hybrid cloud computing services are increasing.

'IDC 3rd Platform (real-time analysis, IoT, AI computing)' aims to support the expansion of computing resources by integrating various cloud models into one, and to improve the management efficiency of automation and computing environment.

HP provides REST API-based infrastructure management functions based on the OpenStack structure, and some services are providing its own open source Helion Eucalyputs platform designed to be compatible with Amazon AWS.

VMware announced vCHS (vCloud Hybrid Service), which provides server, storage, and network virtualization technologies based on the existing VMware virtualization and infrastructure.

Rackspace focuses on expanding the cloud infrastructure area, consolidating cloud servers and enterprise SAN storage, and supporting data protection through Cisco ASA firewall.

Avere System's Avere FlashCloud and MS's Storsimple are cloud storage gateways with a storage tiering structure that divides local and cloud storage according to data usage frequency to provide data backup and archive, Tier2 level applications, and disaster recovery services. I have the technology.

The technology that operates the same data in both local and public storage in the form of replication is a cloud storage gateway copy structure, and there is a Ctera Networks Cloud Storage Gateway solution. The technology additionally provides file distribution and file synchronization and sharing services.

Cloud integrated storage is a storage system that integrates on-premises storage and cloud storage into one. Cloud unified storage can automatically distribute or move data to on-premises storage and cloud storage based on the characteristics of the data. In addition, data can be manually saved to a specific on-premises storage or cloud storage at the user's command.

The data stored in the storage is used for various data processing services, but there is still a risk of data leakage when servicing security-sensitive data such as financial, medical, and personal information. In particular, when such data is serviced on the cloud, the risk of data leakage further increases. The reason is that even if on-premises or cloud systems provide various security functions, various hacking techniques and data leakage by humans cannot be fundamentally blocked.

Data is encrypted for security and then stored in storage. Even if encrypted data is leaked, it is safe because it cannot be decrypted without a key. However, in order to perform a data processing service for the data, the encrypted data must be decrypted. If the decrypted data is leaked, it is a problem because sensitive data is exposed as it is. Therefore, in the existing system that provides processing services for sensitive data, there is no way to fundamentally block data leakage.

Meanwhile, Korean Patent Laid-Open No. 10-2019-0045049 "Integrated Storage Management Device and Method" is an integrated storage management device that distributes and stores data and manages data for storage in integrated storage including on-premises storage and cloud storage. And a method.

An object of the present invention is to simultaneously support a processing service for sensitive data while preventing leakage of sensitive data stored in a storage.

In addition, an object of the present invention is to provide a sensitive data processing service by decrypting encrypted data stored in a storage, and to fundamentally block the leakage of sensitive data.

In addition, the present invention aims to improve the read/write performance of the unified storage in which cloud storage and on-premises storage are integrated.

In addition, an object of the present invention is to provide a data storage service with the same performance as the cloud storage and the on-premises storage included in the integrated storage.

In addition, an object of the present invention is to move the user's data based on the elasticity and cost efficiency of the storage space.

In addition, an object of the present invention is to provide a service of integrated storage that meets the needs of users by supporting various cloud storages such as Amazon S3 and MS Azure.

In addition, an object of the present invention is to provide cloud storage with access speed of an on-premises storage level.

In addition, an object of the present invention is to provide a service interface so that a user can access the cloud integrated storage using various service protocols.

In addition, an object of the present invention is to provide various types of storage services, such as a conventional traditional file, block-level storage service, and an object type storage service provided by the recent cloud storage.

In addition, an object of the present invention is to ensure secure data transmission between on-premises storage and cloud storage to ensure user data confidentiality.

In addition, an object of the present invention is to prevent data loss due to a system error.

In addition, an object of the present invention is to support a multi-tenant function that simultaneously performs a plurality of cloud services.

In addition, an object of the present invention is to improve storage management performance by managing storages of on-premises storage and public cloud storage in a hierarchical structure.

In addition, an object of the present invention is to reduce the risk of a user's data exposure and to activate the use of computing resources in the public cloud.

An integrated storage management apparatus supporting a hierarchical structure according to an embodiment of the present invention for achieving the above object comprises: one or more processors; And an execution memory storing at least one program executed by the one or more processors, wherein the at least one program tier storages included in public cloud storage and on-premises storage according to storage characteristics, and the storage characteristics Data may be stored in the tiered storages according to the data, and data may be stored in the tiered storages according to the characteristics of the data.

In this case, the at least one program may classify and manage the storages into a performance class tier, a capacity class tier, and a storage class tier.

In this case, the at least one program may manage memory and flash storage in a performance level layer.

In this case, the at least one program may manage on-premises storage in a capacity class layer.

In this case, the at least one program may manage public cloud storage in a storage level layer.

In this case, the at least one program may use a read cache and a write cache to store data managed in a storage of a performance level layer.

In this case, the at least one program may store the location of the stored data as metadata using a write cache.

In this case, the at least one program may calculate a hash value of stored data using a read cache, and store the data and the hash value in pairs.

In this case, the at least one program may identify a time at which data managed in the storage of the capacity class layer and the storage class layer is recorded, and record a log according to the time.

In this case, the at least one program may add information about the time to the end of the log.

In this case, the at least one program may store data in hierarchical storages according to the characteristics of the data.

In this case, the at least one program may separately store metadata, protect data communication, and encrypt data.

In this case, the at least one program may store encrypted data according to data characteristics in public cloud storage, and separate and store metadata related to the encrypted data in on-premises storage.

In this case, the at least one program may guarantee high-reliability data transmission through SSL/TLS-based encryption when communicating between the on-premises storage and the public cloud storage. Data encryption can provide three types of AES (128, 192, 256) for encryption of data stored in back-end storage.

In this case, the public cloud storage may provide an application service by accessing the data of the on-premises storage using a virtual appliance in the at least one or more programs.

A hierarchical structure supporting integrated storage management method according to an embodiment of the present invention for achieving the above object is a hierarchical structure supporting integrated storage management method of a hierarchical structure supporting integrated storage management device, public cloud storage and on-premises Stratifying storages included in the storage according to storage characteristics; And storing data in tiered storages according to the storage characteristics and storing data in tiered storages according to the data characteristics.

In this case, in the tiering step, storages included in the public cloud storage and the on-premises storage may be tiered according to storage characteristics.

In this case, in the step of tiering, storages may be classified and managed into a performance class tier, a capacity class tier, and a storage class tier.

In this case, in the step of layering, memory and flash storage may be managed in a performance level layer.

In this case, in the tiering step, on-premises storage may be managed in a capacity class hierarchy.

In this case, in the step of tiering, the public cloud storage may be managed at the storage level layer.

In this case, the step of storing data in storages that are layered according to the storage characteristics may store data in storages that are layered according to the storage characteristics.

In this case, in the step of storing the data in the hierarchical storages according to the storage characteristics, data managed in the storage of the performance level layer may be stored using a read cache and a write cache.

In this case, in the step of storing data in the hierarchical storages according to the storage characteristics, the location of the stored data may be stored as metadata using a write cache.

In this case, in the step of storing data in hierarchical storages according to the storage characteristics, a hash value of the stored data may be calculated using a read cache, and the data and the hash value may be stored in pairs.

In this case, the step of storing data in the storages that are layered according to the storage characteristics may identify a time at which data managed in the storage of the capacity class layer and the storage class layer is recorded, and record a log according to the time.

In this case, storing data in hierarchical storages according to the storage characteristics may add information about the time to the end of the log.

In this case, storing the data in the hierarchical storages according to the characteristics of the data may store the data in the hierarchical storages according to the characteristics of the data.

In this case, storing the data in the hierarchical storages according to the characteristics of the data may perform separate storage of metadata, data communication protection, and data encryption.

In this case, storing the data in the tiered storages according to the characteristics of the data includes storing the encrypted data in the public cloud storage according to the characteristics of the data, and separately storing the metadata related to the encrypted data in the on-premises storage. I can.

In this case, storing data in tiered storages according to the characteristics of the data may ensure high-reliability data transmission through SSL/TLS-based encryption when communicating between on-premises storage and public cloud storage. Data encryption can provide three types of AES (128, 192, 256) for encryption of data stored in back-end storage.

In this case, in the step of storing data in tiered storages according to the characteristics of the data, the public cloud storage may provide an application service by accessing data in the on-premises storage using a virtual appliance.

The present invention can fundamentally block the leakage of sensitive data stored in the storage and simultaneously support a processing service for sensitive data.

In addition, the present invention decrypts the encrypted data stored in the storage to provide a sensitive data processing service, and can fundamentally block the leakage of sensitive data.

In addition, the present invention can improve the read/write performance of the unified storage in which cloud storage and on-premises storage are integrated.

In addition, the present invention can provide a data storage service with the same performance as the cloud storage and the on-premises storage included in the integrated storage.

In addition, the present invention can move the user's data based on the elasticity and cost efficiency of the storage space.

In addition, the present invention supports various cloud storages such as Amazon S3 and MS Azure to provide a service of integrated storage that meets the needs of users.

In addition, the present invention can provide cloud storage with access speed of an on-premises storage level.

In addition, the present invention may provide a service interface so that a user can access the cloud integrated storage using various service protocols.

In addition, the present invention can provide various types of storage services, such as a conventional traditional file, block-level storage service, and an object-type storage service provided by the recent cloud storage.

In addition, the present invention can ensure secure data transmission between on-premises storage and cloud storage, thereby ensuring user data confidentiality.

In addition, the present invention can prevent data loss due to a system error.

In addition, the present invention provides a cloud integrated storage in the form of an appliance in which storage hardware and software are integrated into one for user convenience, so that a system can be easily constructed.

In addition, the present invention may support a multi-tenant function that simultaneously performs a plurality of cloud services.

In addition, the present invention can improve storage management performance by managing storages of on-premises storage and public cloud storage in a hierarchical structure.

In addition, the present invention can reduce the risk of a user's data exposure and activate the use of computing resources in the public cloud.

1 is a block diagram showing an integrated storage system according to an embodiment of the present invention.
2 is a block diagram showing an integrated storage management apparatus according to an embodiment of the present invention.
3 is a detailed block diagram illustrating an example of a storage connection unit shown in FIG. 2.
4 is a block diagram showing in detail an example of the data manipulation unit shown in FIG. 2.
5 is a diagram showing an example of a ramdisk according to an embodiment of the present invention.
6 is a diagram illustrating in detail operations of a data distribution and storage unit and a backend storage management unit according to an embodiment of the present invention.
7 is an operation flow diagram showing an integrated storage management method according to an embodiment of the present invention.
8 is a diagram illustrating a relationship between an integrated storage management device and a service provider according to an embodiment of the present invention.
9 is an operation flow diagram illustrating an integrated storage management method for registering a storage service according to an embodiment of the present invention.
10 is a block diagram showing an integrated storage management apparatus according to an embodiment of the present invention.
11 is a block diagram showing a multi-tenant-based integrated storage management apparatus using a backend connection daemon according to an embodiment of the present invention.
12 is an operation flow diagram illustrating a multi-tenant-based integrated storage management method for providing a storage service according to an embodiment of the present invention.
13 is a diagram showing a computer system according to an embodiment of the present invention.
14 is a diagram showing an integrated storage system according to an embodiment of the present invention.
15 is a diagram illustrating multiple storage types and an access mechanism for data access in an integrated storage system according to an embodiment of the present invention.
16 is a diagram illustrating a data read/write cache and a parallel distributed file for improving performance according to an embodiment of the present invention.
17 is a diagram illustrating a use case of an integrated storage management system according to an embodiment of the present invention.
18 is an operation flow diagram illustrating a data storage registration process for an integrated storage service according to an embodiment of the present invention.
19 is a block diagram showing an apparatus for processing sensitive data according to an embodiment of the present invention.
FIG. 20 is a detailed block diagram illustrating an example of a cloud integrated storage device and a data unprotected area processor illustrated in FIG. 19.
FIG. 21 is a detailed block diagram illustrating an example of a data unprotected area processing unit and a data protected area processing unit shown in FIG. 20.
FIG. 22 is a detailed block diagram illustrating an example of a sensitive data service gateway unit shown in FIG. 21.
23 is an operation flow diagram showing a method of processing sensitive data according to an embodiment of the present invention.
24 is a flowchart illustrating a method of processing sensitive data in a data unprotected area processing unit and a data protected area processing unit according to an embodiment of the present invention.
25 is a flowchart illustrating a method of processing sensitive data in a sensitive data service gateway unit according to an embodiment of the present invention.
26 and 27 are block diagrams showing in detail an integrated storage management function according to an embodiment of the present invention.
28 is a diagram showing an automatic layering structure of a cloud infrastructure system according to an embodiment of the present invention.
29 is a diagram illustrating types of storage in a hierarchical structure according to an embodiment of the present invention.
30 is a block diagram showing an integrated storage management apparatus supporting a hierarchical structure according to an embodiment of the present invention.
FIG. 31 is a detailed block diagram illustrating an example of a backend interface proxy unit shown in FIG. 30.
32 is a diagram illustrating an operating environment of an integrated storage management apparatus supporting a hierarchical structure according to an embodiment of the present invention.
33 is an operation flow diagram illustrating a method for managing integrated storage supporting a hierarchical structure according to an embodiment of the present invention.

The present invention will be described in detail with reference to the accompanying drawings. Here, repeated descriptions, well-known functions that may unnecessarily obscure the subject matter of the present invention, and detailed descriptions of configurations are omitted. Embodiments of the present invention are provided to more completely explain the present invention to those with average knowledge in the art. Accordingly, the shapes and sizes of elements in the drawings may be exaggerated for clearer explanation.

Throughout the specification, when a certain part "includes" a certain component, it means that other components may be further included rather than excluding other components unless specifically stated to the contrary.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram showing an integrated storage system according to an embodiment of the present invention.

Referring to FIG. 1, an integrated storage system according to an embodiment of the present invention may include a user client device 10, an integrated storage management device 100, and an integrated storage 20.

The user client device 10 may allow a user to request a service of the integrated storage 20 through the integrated storage management device 100 and receive a service.

The integrated storage 20 may include a cloud storage 21 and a non-cloud storage 22.

The cloud storage 21 may correspond to public cloud storage provided by a business operator.

The non-cloud storage 22 may correspond to on-premise storage owned by enterprises and institutions.

The integrated storage management device 100 may manage and operate the cloud storage 21 and the non-cloud storage 22 included in the integrated storage 20 in a single configuration.

In this case, the integrated storage management device 100 may provide a cloud service with the same performance at a level in which it is impossible to identify whether a user accesses the cloud storage 21 or the non-cloud storage 22.

2 is a block diagram showing an integrated storage management apparatus according to an embodiment of the present invention. 3 is a detailed block diagram illustrating an example of a storage connection unit shown in FIG. 2. 4 is a block diagram showing in detail an example of the data manipulation unit shown in FIG. 2.

2, the integrated storage management apparatus 100 according to an embodiment of the present invention includes a storage connection unit 110, a data manipulation unit 120, a data distribution and storage unit 130, a back-end storage management unit 140, and It includes a provisioning and policy management unit 150.

The storage connection unit 110 may provide a service of the integrated storage 20 to a user by interworking with the integrated storage 20.

Referring to FIG. 3, the storage connection unit 110 may include a virtual block device service engine 111, a file system service engine 112, and an object storage service engine 113.

In this case, the storage connection unit 110 may provide a protocol processing of block, file, and object storage, an IO interface, and an acceleration function for improving the protocol.

In this case, the storage connection unit 110 may basically provide a block device and a file system service, which are traditional storage service interfaces, to a user, and may also provide an object storage interface that has appeared recently.

The data manipulation unit 120 may provide a virtual disk pool to a user to provide a single storage view of the entire storage system.

That is, the data manipulation unit 120 may configure a virtual disk pool using fast storage resources, and provide storage as virtual disks to a user.

Accordingly, although data is physically distributed over various types of storage, the user can be provided with a single storage configuration without considering the actual storage location of the data.

In this case, the data manipulation unit 120 may provide data management functions such as snapshot, fast replication, and distributed transaction log.

In this case, the data manipulation unit 120 may provide a write buffer or read cache function to a corresponding user in the case of a data writing or data reading operation.

In this case, the data manipulation unit 120 may guarantee a fast response time to a user by using a memory, an SSD, and a PCIe flash card.

In this case, the data manipulation unit 120 may provide a read/write cache of data for providing a service of the integrated storage using a RAM disk.

The data manipulation unit 120 may provide a cache function for data stored in public cloud storage (cloud storage 21). Data stored in public cloud storage is slower than on-premises storage (non-cloud storage 22) because data is transmitted through the Internet network.

In addition, since data is automatically distributed and stored in public cloud storage without the user being aware of it, high-speed access to data stored in public cloud storage is required.

The data manipulation unit 120 caches data stored in the public cloud storage to a storage device inside the cloud integrated storage operation platform, thereby providing access speed of an on-premises storage level to the public cloud storage.

4, the data manipulation unit 120 includes an in-memory name space block 121, a read cache unit 122, a write cache unit 123, an in-memory deduplication engine 124, and an in-memory data compression engine 125. ) Can be included.

The in-memory namespace block 121 stores information that periodically reads and writes to access actual data, and can guarantee a high-speed access speed.

In this case, the in-memory name space block 121 may store information necessary for data access in a high-speed main memory to provide a data storage and management function.

In this case, the in-memory name space block 121 has a limit in its capacity or volatile storage medium. Therefore, backup is performed through real-time backup, and the backed up namespace block can perform a high availability function through clustering of multiple nodes (virtual machines or physical servers).

In this case, the data manipulation unit 120 includes an in-memory-based namespace block 121 and an in-memory deduplication engine 124 and an in-memory data compression engine 125 that are data compression structures in order to provide fast performance of the integrated storage structure. Can also be executed simultaneously in an in-memory block

In this case, the data manipulation unit 120 must ensure a high-speed access speed of the Glover namespace for actual data access, and may provide a high-speed processing method to store and read the data at a high speed.

The read cache unit 122 and the write cache unit 123 may be configured in a form of a single disk including a RAM corresponding to a main memory and a solid state drive (SSD) in the form of a RAM disk.

The read cache unit 122 and the write cache unit 123 may perform real-time backup to the SSD according to the characteristics of the volatile memory.

In this case, the read cache unit 122 and the write cache unit 123 may automatically switch to the SSD-based cache area when all the RAM-based cache areas are exhausted.

In this case, the read cache unit 122 and the write cache unit 123 may provide a form of immediately returning when a user writes to a memory area for a quick write response when writing is performed.

The in-memory deduplication engine 124 and the in-memory data compression engine 125 may correspond to the data distribution and storage unit 130 to be described below.

That is, the data distribution and storage unit 130 may be included in the data manipulation unit 120.

The in-memory deduplication engine 124 may provide a function of distributing and storing data in a plurality of physical devices to prevent data loss.

In this case, the in-memory deduplication engine 124 detects the occurrence of data errors and applies error detection and recovery coding to correct them to cope with data and system errors.

The in-memory data compression engine 125 may perform a task of reducing the size of data by performing a compression function on actual data stored in the backend storage. In particular, in the case of public cloud storage, the in-memory data compression engine 125 can reduce the size of data transmitted through a network by reducing the size of data by compression.

The data distribution and storage unit 130 may provide an optimized function so that writing of received data can always be accessed with minimum overhead.

In this case, the data distribution and storage unit 130 may distribute each object into several pieces for efficient data management, and may distribute and store the distributed pieces in other nodes or data centers to improve reliability.

In this case, the data distribution and storage unit 130 may process selective encryption and compression on the distributed fragments and reflect a policy decision therefor.

In this case, the data distribution and storage unit 130 may detect the occurrence of an error in data and apply an error detection and recovery coding capable of correcting it to cope with data and system errors.

The backend storage management unit 140 may provide a storage interface of the cloud storage 21 and the non-cloud storage 22 for storing the final data generated by the data distribution and storage unit 130 in a final resource.

In this case, the backend storage management unit 140 may provide an automatic or manual storage function for data using tiering based on performance, time, and frequency of use according to the policy of the data distribution storage layer.

In this case, the backend storage management unit 140 may provide a function of automatically distributed storage of data in various storage tiers.

In this case, the backend storage management unit 140 may layer various types of storage based on characteristics of the provided storage.

In this case, the back-end storage management unit 140 may store the initial generated data in a high-speed storage, move the data to a lower-tier storage when the data access frequency decreases, and finally store the data in the public cloud storage.

In this case, the backend storage management unit 140 may automatically move data between various storage tiers according to the characteristics of the data.

The provisioning and policy management unit 150 may be in charge of management of each layer and user-based policy management. In this case, the provisioning and policy management unit 150 may provide a hierarchical interface for provisioning a disk requested by the user.

In this case, metadata for managing and accessing the data in addition to the data stored in the backend storage is required. Meta data of the present invention is generated while the user uses the client device 10, or the user client device 10 and the integrated storage 20 provide client meta data for an interface, data management meta data required for data manipulation, and the last. Storage management metadata used for backend storage can be used.

5 is a diagram showing an example of a ramdisk according to an embodiment of the present invention.

Referring to FIG. 5, it can be seen that the read cache unit 122 and the write cache unit 123, which are RAM disks of the data manipulation unit 120, are shown in detail.

It can be seen that the read cache unit 122 distributes the hashes to block data using the data deduplication engine 122a.

The write cache unit 123 uses the data transaction log unit 123a to manage the log for data recovery in the same node or a node connected to the network in case the data stored in the write cache is lost due to system failure. Can be seen.

The log can store the location and hash value of the data for the detailed block, and can be maintained until the data is saved to the backend storage.

Synchronization between the write cache and the transaction log can be performed as an asynchronous synchronization in which the log queue reaches a certain size or synchronizes at a certain time, or whenever data occurs according to a write request. The detailed blocks located in the write cache can be synchronized to the transaction log node under certain conditions. As time passes, when detailed block-related data is stored in the back-end storage, the detailed block of the write cache and the detailed block of the transaction log node may be excluded from management and deleted.

6 is a diagram illustrating in detail operations of a data distribution and storage unit and a backend storage management unit according to an embodiment of the present invention.

Referring to FIG. 6, the data distribution and storage unit 130 may perform a data compression block 131 to reduce the size of data by performing a compression function on actual data stored in the backend storage. In particular, in the case of public cloud storage, the data compression block 131 may reduce the size of data transmitted through a network by reducing the size of data by compression.

The data distribution block 132 may provide a function of distributing and storing data in a plurality of physical devices in order to prevent data loss.

At this time, the data distribution block 132 detects the occurrence of an error in data and applies error detection and recovery coding to correct it, thereby coping with data and system errors.

It can be seen that the back-end storage management unit 140 may include HDD, SAS, iSCSI storage, and public cloud storage, and provides an interface function for finally storing data in the back-end storage.

At this time, the backend storage management unit 140 operates large-capacity data from memory storage to ensure fast response speed through data distribution policy, parallel input/output (Parallel IO Engine), and multi-path input/output (Multi-Path IO Engine). It can be seen that it provides high-availability services for data operation and connected storage using various types of storage, including cloud storage for storage.

At this time, the back-end storage management unit 140 may store data by distributing it to storage in the same node or storage in multiple nodes composed of clusters, and by adjusting the data size and the number of distributed storage, it is possible to prevent data loss due to system errors. I can.

It can be seen that the backend storage management unit 140 provides a function of automatically distributing and storing data in various storage tiers. It can be seen that various types of storage are layered based on the characteristics of the provided storage. It can be seen that when data is initially created, it is stored in high-speed storage, and when the frequency of data access decreases, it is moved to a lower tier storage, and finally stored in public cloud storage. The backend storage management unit 140 automatically moves data between various storage tiers according to the characteristics of the data.

7 is an operation flow diagram showing an integrated storage management method according to an embodiment of the present invention.

Referring to FIG. 7, the integrated storage management method according to an embodiment of the present invention may first access data (S210).

That is, in step S210, data access may be performed in order to provide a service of the integrated storage to a user by interworking with the integrated storage 20.

In this case, step S210 may provide a virtual disk pool to the user to provide a single storage view of the entire storage system.

In an embodiment of the present invention, the integrated storage management method may read and write data (S220).

That is, in step S220, a read/write cache of data for providing a service of the integrated storage may be provided using a RAM disk.

In this case, in step S220, data stored in the public cloud storage may be cached to a storage device inside the cloud integrated storage operation platform, thereby providing access speed of an on-premises storage level to the public cloud storage.

At this time, in step S220, data is read and written using a ram disk configured in a single disk form including RAM and a solid state drive (SSD) corresponding to the main memory, and a RAM-based cache area When all of this is exhausted, it can be automatically converted to an SSD-based cache area.

The integrated storage management method according to an embodiment of the present invention may perform data distribution and storage (S230).

That is, in step S230, the object of the data may be distributed and stored, and the distributed object may be encrypted and compressed.

In this case, in step S230, data and system errors may be coped with by applying error detection and recovery coding capable of detecting the occurrence of data errors and correcting them.

The integrated storage management method according to an embodiment of the present invention may perform final resource storage of data (S240).

That is, in step S240, the final data generated in step S230 may be stored in the final resource.

In this case, in step S240, an automatic or manual storage function may be provided by using tiering based on performance, time, and frequency of use of the data according to the policy of the data distribution storage layer.

In this case, step S240 may provide a function of automatically distributing and storing data in various storage layers.

In this case, in step S240, various types of storage may be layered based on the characteristics of the provided storage.

In this case, in step S240, the initially generated data is stored in a high-speed storage, and when the frequency of data access decreases, the data is moved to a lower-tier storage, and the data may be finally stored in the public cloud storage.

In this case, in step S240, data may be automatically moved between various storage layers according to the characteristics of the data.

8 is a diagram illustrating a relationship between an integrated storage management device and a service provider according to an embodiment of the present invention.

Referring to FIG. 8, the integrated storage management apparatus 100 according to an embodiment of the present invention provides a storage service (Data Storage Service A) from a plurality of Data Storage Federation (DSF) service providers (DSF Service Providers for Service A to N). ~ N) can be registered.

In this case, the administrator (DSF Service Adminstrator) may provide a plurality of storage services registered through the integrated storage management device 100 to the user.

In this case, a user (DSF Service Customer of Client user) may receive a plurality of storage services using the integrated storage management device 100.

In this case, the integrated storage management apparatus 100 may manage the integrated storage 20 on a multi-tenant basis in order to provide a plurality of storage services.

9 is an operation flow diagram illustrating an integrated storage management method for registering a storage service according to an embodiment of the present invention.

Referring to FIG. 9, in the integrated storage management method for registering a storage service according to an embodiment of the present invention, first, the integrated storage management device 100 may perform a login of a provider (S310).

In this case, in step S310, in order to register the storage service, the provider may log in to the integrated storage management apparatus 100 using a previously registered ID and password.

In this case, in step S310, when the provider's ID and password are not registered for login, a new ID and password may be generated.

In addition, the integrated storage management method for registering a storage service according to an embodiment of the present invention may register a storage service in the storage (S320).

That is, in step S320, a storage service may be registered by checking the cloud storage 21 and the non-cloud storage 22 for registering the storage service.

In this case, in step S320, a registration method may be provided to a provider through a GUI in order to register a storage service.

At this time, step S320 inputs the storage service name, storage specification (size, caching, number of tiers, encryption, on-premises storage support, etc.), data storage service protocol and cloud storage name and type, etc. from the provider through the GUI. It can be received and registered in the corresponding storage.

At this time, the information received through the GUI may be registered through pre-registration when a new provider registers an ID and password.

In addition, the integrated storage management method for registering a storage service according to an embodiment of the present invention may set storage (S330).

That is, in step S330, a virtual storage corresponding to the storage in which the storage service is registered may be created.

In this case, in step S330, the virtual storage may be registered in the virtual disk pool, and a single storage view for providing storage services may be provided to the user through the virtual disk pool.

10 is a block diagram showing an integrated storage management apparatus according to an embodiment of the present invention.

Referring to FIG. 10, the integrated storage management apparatus according to an embodiment of the present invention includes a service connection unit 110, a data manipulation unit 120, a data distribution and storage unit 130, and a backend that are components or main components of each layer. It can be seen that the storage management unit 140 is multi-tenanted and configured in a number corresponding to the storage services registered from the providers (DSF Service Providers A to C).

That is, it can be seen that the integrated storage management device 100 supports a multi-tenant function that simultaneously performs a plurality of services.

In this case, the provisioning and policy management unit 150 may provide an administrator GUI (Administration GUI) to an administrator, and provide and manage a multi-tenant-based integrated storage service.

The storage connection unit 110 and the data manipulation unit 120 may perform a data management step.

In this case, the storage connection unit 110 may provide an interface to the user with the virtual data storage as a single virtual storage.

In this case, the storage connection unit 110 may provide a user access mechanism for using the single virtual storage.

In this case, the user access mechanism may vary according to the type of the single virtual storage.

In this case, the storage connection unit 110 may provide a corresponding protocol or I/O interface of a single virtual volume along with a virtual block device, a file system, and an object storage.

In this case, the storage connection unit 110 may provide protocol performance acceleration.

In addition, the interface provided by the storage connection unit 110 may correspond to a direct interface (ie, an object or block storage interface) or a proxy interface constituting various types of storage interfaces with a software program.

In this case, the software program may include a software agent, a daemon, a web worker, and a RESTful API for an interface to the integrated storage 20.

In this case, the proxy interface may connect the integrated storage 20 by automatically detecting an interface with a software program.

In this case, the storage connection unit 110 may provide a user interface for the user client device 10 to use a single virtual volume.

The user interface may include a graphical user interface, a web application, or a specific client for the user client device 10 to access a specific virtual volume.

In this case, the storage connection unit 110 may provide conversion between the data manipulation unit 120 and a corresponding interface of the integrated storage device 20.

This interface includes API, I/O interface, etc.

In this case, the storage connection unit 110 may provide a secure access mechanism for using a single virtual volume to the user client device 10.

In this case, the storage connection unit 110 may register the requirements of the user client device 10.

The requirements of the user client device 10 may include a data storage capacity, an access mechanism, a storage type of a single virtual volume, a policy, and the like.

In this case, the storage connection unit 110 may provide a seamless connection of an interface with the integrated storage 20 for smooth communication with the integrated storage 20.

In this case, the data manipulation unit 120 may provide the integrated storage 20 as a virtual data storage regardless of the actual storage location of the data.

In this case, the data manipulation unit 120 may convert and store the data stored in the single virtual storage according to at least one conversion process of division, encryption, and compression.

In this case, the data manipulation unit 120 may provide a single virtual storage view of the integrated storage 20 as a virtual storage pool.

In this case, the data manipulation unit 120 may provide a write buffer or read cache function to the user client device 10.

In this case, the data manipulation unit 120 may improve read and write response times by using a memory, an SSD, or a peripheral component interconnect express (PCIe) flash card.

In this case, the data manipulation unit 120 may compensate for a slower access speed compared to on-premises by using a read and write cache.

The read and write cache can improve the performance of a device that stores storage and data, and can be used in various devices for high-speed cache operation.

Various devices for high-speed cache operation may correspond to main memory, RAM-based disks, and SSDs.

In the case of high-speed access, the cache hierarchy can be extended to the main memory. Also, the main memory may use the approach used by SSDs because of its capacity limitation. That is, when the RAM-based cache area is depleted, it can be automatically converted to an SSD area cache. When the user client device 10 performs a write operation, a write operation may be performed in a memory area for a quick write response.

In this case, the data manipulation unit 120 may provide data management for snapshots, fast replication, and distributed transaction logs.

In this case, the data manipulation unit 120 may provide the execution of a create, read, update, delete (CRUD) data operation of the user client device 10.

CRUD data operations may include creation, reading, updating, and deletion of data.

In this case, the data manipulation unit 120 may provide a search data operation from data of the user client device 10 by using a query to the global registry.

In this case, the data manipulation unit 120 may check the sharing status of the DSF data and then update the sharing status of the data in the global registry to provide shared data operation.

Data sharing may mean that the same data is shared during data manipulation.

The data sharing state may correspond to information on whether or not data is shared.

In this case, the data manipulation unit 120 may reduce data storage capacity by using data deduplication.

In this case, the data manipulation unit 120 may provide data encryption/decryption to transmit data to the integrated storage 20.

In this case, the data manipulation unit 120 may provide data recovery of the user client device 10 from a system failure.

Data recovery can prevent data loss due to errors due to storage and network connection errors by restoring data of the user client device 10 that has been used most recently.

In this case, the data manipulation unit 120 may provide data migration to the usable integrated storage 20 for resilience and cost efficiency of the storage space.

Data migration for resilience and cost efficiency of data storage space can be performed automatically without user intervention or recognition.

In this case, the data manipulation unit 120 may provide validation of data for data manipulation in order to check data integrity.

In this case, the data manipulation unit 120 may support data consistency of the user client device 10 with respect to the duplicated data.

Data consistency may mean that the data manipulation unit 120 properly backs up the current data in order to recover the storage error data of the user client device 10.

In this case, the data manipulation unit 120 may support data transparency of the user client device 10.

Transparency of data may mean accessing data without knowing the location of the user client device 10.

In this case, the data manipulation unit 120 may provide a backup of the global name space for high availability.

The backup of the global namespace is synchronized with the actual data, and the backup of the global namespace can perform a high availability function through clustering of multiple nodes (virtual computers or physical servers).

In this case, the data manipulation unit 120 may add a single virtual volume according to a customer's request, such as block-based storage, file-based storage, or other cloud storage.

The data distribution and storage unit 130 may perform a data distribution step.

In this case, the data distribution and storage unit 130 may distribute data to be stored in the integrated storage 20 including on-premises storage and cloud storage.

In this case, the data distribution and storage unit 130 may provide optimization for ensuring minimal overhead while writing data to the integrated storage 20.

In this case, the data distribution and storage unit 130 may provide data fragmentation for distributing and storing data in the integrated storage 20.

Data fragmentation is a method of distributing and storing user data in different repositories, nodes, or data centers to efficiently manage data and improve stability.

In this case, the data distribution and storage unit 130 may provide encryption, decryption, and compression/decompression of data.

In this case, encryption and compression can be considered at the request of the user.

In addition, the data distribution and storage unit 130 may support its own files and file contents as data.

The content type of the file may correspond to one of structured, semi-structured, and unstructured.

In this case, the support of the data distribution and storage unit 130 may support aggregation of data distributed in the local storage of the plurality of integrated storage 20 providers with a corresponding API.

In this case, the data distribution and storage unit 130 may manage the data of the client device 10 in use by focusing on resilience and cost efficiency of the storage space.

For example, data movement for resilience and cost efficiency of a data storage space may be performed automatically without user intervention or recognition.

In this case, the user client device 10 may receive an integrated cloud storage service with the same performance without knowing whether data is stored in the on-premises storage 22 or the cloud storage 21.

In this case, the data distribution and storage unit 130 may verify the service provider in order to integrate the data of the user client device 10.

The backend storage management unit 140 may perform a storage management step.

In this case, the backend storage management unit 140 may connect the integrated storage 20 to store the distributed data and provide storage tiering information of the data to be stored.

In this case, the storage tiering information may vary according to the performance of the storage, the use time of the data, and the access period of the data.

In this case, the backend storage management unit 140 may provide storage tiering in which data is tiered according to a storage performance, a use time of the data, and a data access period.

Storage tiering can correspond to distributing data across multiple storage tiers in a hierarchical manner.

In this case, the backend storage management unit 140 may automatically move data between various storage tiers according to the characteristics of the data.

Data can be stored on a high-speed storage device when it is first created. When the frequency of data access is low, data can be moved to low-speed storage.

At this time, the backend storage management unit 140 may simultaneously access multiple data storage providers in order to aggregate distributed data.

In this case, the backend storage management unit 140 may support a function of delegating access rights to the integrated storage 20 to the user client device 10.

The provisioning and policy management unit 150 may provide configuration and control of logical components.

In this case, the provisioning and policy management unit 150 may provide policy management of data storage and data manipulation.

Data storage policies can include backup, snapshot, expansion, recovery, data caching, thin provisioning, tiering, storage types (files, blocks, objects, etc.).

In this case, the data storage policy may be set by default and may be reconfigured according to the user's request. In addition, the data storage policy may depend on the policy of the unified storage 20.

The reconfigured policy is a policy reconfigured by the provisioning and policy management unit 150 when the integrated storage 20 does not support its own policy.

Data manipulation policies can include support for sharing, read/write, replication, data migration, fragmentation, encryption, compression, and deduplication.

In this case, the data manipulation policy may select both non-sharing and sharing modes including read-only, write, copy options, and write options.

In this case, the provisioning and policy management unit 150 may provide a single virtual volume to the virtual storage pool.

In this case, the provisioning and policy management unit 150 may support a security policy for data transmission (eg, data encryption) to ensure data confidentiality of the user client device 10.

In this case, the provisioning and policy management unit 150 may prevent data loss due to an error in a storage structure based on distributed storage and provide data recovery when a system error occurs.

In addition, the provisioning policy management unit 150 may share data operation metadata with the storage connection unit 110, the data manipulation unit 120, the data distribution and storage unit 130, and the backend storage management unit 140.

Data operation metadata is a description required to perform data operation. Data operation metadata may include attributes of a virtual storage area pool and a single virtual volume. Data operation metadata can include transaction log and DSF data attributes such as read/write caching, snapshot, replication, and fragmentation.

The backend storage management unit 140 may share storage management metadata with the cloud storage 21 and the non-cloud storage 22 of the integrated storage 20.

Storage management metadata is a description required to perform storage area manipulation. Storage management metadata may include the location of the integrated storage 20, an interface, an API for manipulating customer data, read/write speed, and storage capacity.

Customer metadata can be created by the customer to configure the customer's environment.

11 is a block diagram showing a multi-tenant-based integrated storage management apparatus using a backend connection daemon according to an embodiment of the present invention.

Referring to FIG. 11, a multi-tenant-based integrated storage management apparatus using a back-end connection daemon according to an embodiment of the present invention includes a plurality of individual storage services provided by service providers 31, 32, and 33. A connection unit 110, a data manipulation unit 120, a data distribution and storage unit 130, a back-end storage management unit 140, and a provisioning and policy management unit 150 are included.

The storage connection unit 110 may provide a storage service of the integrated storage 20 to a user by interworking with the integrated storage 20.

In this case, the integrated storage 20 may include at least one cloud storage 21 and a non-cloud storage 22.

The data manipulation unit 120 may create a virtual disk pool of the integrated storage 20 and provide a single storage view through at least one virtual disk.

The data distribution and storage unit 130 may provide a data distribution and encryption function so that the writing of the received data can always be accessed with minimum overhead.

The backend storage management unit 140 may interface with the integrated storage 20 using a software-type connection daemon.

In this case, the backend storage management unit 140 may include a necessary interface (object or block storage interface) and a backend connection daemon configured to interface with various types of storage, and may provide a proxy interface for easily registering multiple storages.

At this time, the backend storage management unit 140 registers the cloud service by detecting the storage area interface of the first daemon connected to the cloud storage 21 and the second daemon connected to the non-cloud storage 22 with a proxy interface. can do.

In the backend storage proxy, the object storage daemon interface or the backend connection daemon in which the block storage interface driver is stored automatically detects the storage interface and registers the service.

In order to connect the integrated storage 20, the backend connection daemon may be driven through a virtual machine or container other than a block device, and object storage may be connected through this.

In this case, the backend storage management unit 140 may output the storage on which the interface has been performed as a registerable storage of a storage service.

In this case, the backend storage management unit 140 may manage information for accessing the system or provide a secure path for access to the user to register the storage service.

In this case, the backend storage management unit 140 may create a backend connection daemon one by one each time one storage is connected, and may connect this to a proxy server. The proxy server (not shown) may store and manage user data through a driver interface connected to an upper virtual disk pool (Vpool) through the data manipulation unit 120.

Through this, the integrated storage management apparatus 100 may create one virtual disk (vdisk) when a registered service provider accesses it, and the created virtual disk may be managed within the virtual disk pool. In this case, the user may receive a plurality of storage services from a storage to which a storage service is registered through each virtual disk pool.

The storage configuration in the backend storage management unit 140 may be configured differently from on-premises and public cloud storage services. The interface for backend storage can be provided in the form of a separate software daemon. If there are multiple cloud storage devices, DSF local storage management can be configured, a proxy interface can be configured, and an interface for registering and using on-premises storage can be provided.

The provisioning and policy management unit 150 may register a storage service from a plurality of service providers and manage provision of the storage service on a multi-tenant basis.

At this time, the provisioning and policy management unit 150 registers the cloud storage 21 and the non-cloud storage 22 for providing storage services from the integrated storage management device 100 by the administrator through the management GUI and configures a new service. can do.

At this time, the provisioning and policy management unit 150 can create a cloud account when a service provider subscribes and registers a service and uploads and creates a file, and the uploaded file is cloud storage 21 or non- It can be stored in the cloud storage 22.

At this time, the provisioning and policy management unit 150 displays, creates, modifies, and displays the contents of the cloud service registered in the cloud storage 21 and the non-cloud storage 22 integrated into the integrated storage 20 through the management GUI. It can also provide a function to delete.

The storage configuration is separate from the non-cloud storage 22, and the service of the cloud storage 21 may be separately provided together with the basic configuration.

In this case, the provisioning and policy management unit 150 may independently configure the function of the logical component as a server, a virtual system, or a container having a connection network in the form of a module or function having each individual function.

In this case, the provisioning and policy management unit 150 may register the storage service in any one storage included in the integrated storage 20 corresponding to the service registration information input from the service provider.

In this case, the provisioning and policy management unit 150 may provide the storage service by setting a virtual storage in the storage in which the storage service is registered.

In this case, the provisioning and policy management unit 150 uses a first path through which data moves and a second path through which data is controlled to prevent a decrease in input/output performance of the storage service. You can manage the service.

In this case, the management function for managing the first path and the second path may provide a function of displaying, creating, modifying, and deleting contents of on-premises and public cloud services integrated into a single storage.

In FIG. 11, each logical element may be composed of one server or several servers, and each logical element may be composed of a network through a server, a virtual system, or a container.

A DSF service provider corresponding to the integrated storage management apparatus 100 according to an embodiment of the present invention may provide different interfaces for data paths and management paths to prevent performance degradation of storage services.

DSF service providers can independently configure and control all logical concurrency and corresponding interfaces for self-configuration.

Self-configuration means automatic configuration of logical components, and DSF service providers can manage the configuration of each component built into a server, virtual machine, or container as a connected network.

DSF service providers can manage the back-end storage interfaces to join the unified storage to the DSF service. To participate in unified storage, back-end storage management can provide interfaces (e.g., object or block storage interfaces) and proxies. Interfaces that make up the different types of storage interfaces. The backend storage proxy is a backend connection daemon that can automatically detect storage interfaces and register services.

DSF service providers can support secure cloud storage interfaces for DSF service customers.

12 is an operation flow diagram illustrating a multi-tenant-based integrated storage management method for providing a storage service according to an embodiment of the present invention.

Referring to FIG. 12, in the multi-tenant-based integrated storage management method according to an embodiment of the present invention, data access may be performed first (S410).

That is, in step S410, data may be accessed in order to provide a storage service of the integrated storage 20 to a user by interworking with the integrated storage 20.

In this case, the integrated storage 20 may include at least one cloud storage 21 and a non-cloud storage 22.

The multi-tenant-based integrated storage management method according to an embodiment of the present invention may provide a single storage view (S420).

That is, in step S420, a single storage view may be provided through at least one or more virtual disks by creating a virtual disk pool of the integrated storage 20.

In this case, in step S420, data distribution and encryption functions may be provided so that the writing of the received data can always be accessed with minimum overhead.

In addition, the multi-tenant-based integrated storage management method according to an embodiment of the present invention may perform an interface (S430).

That is, in step S430, an interface with the integrated storage 20 may be performed using a software-type connection daemon.

In this case, step S430 may include a required interface (object or block storage interface) and a backend connection daemon configured to interface with various types of storage, and provide a proxy interface for easily registering multiple storages.

In this case, in step S430, a proxy interface may register a cloud service by detecting a storage interface of a first daemon connected to the cloud storage 21 and a storage area interface of a second daemon connected to the non-cloud storage 22. .

In the backend storage proxy, the object storage daemon interface or the backend connection daemon in which the block storage interface driver is stored automatically detects the storage interface and registers the service.

In order to connect the integrated storage 20, the backend connection daemon may be driven through a virtual machine or container other than a block device, and object storage may be connected through this.

In this case, in step S430, the storage on which the interface has been performed may be output as a registerable storage of the storage service.

In this case, in step S430, in order to register the storage service, the user may manage information for system access or may provide a secure path for access.

In this case, in step S430, each time one storage is connected, one backend connection daemon may be created, and this may be connected to a proxy server. The proxy server (not shown) may store and manage user data through a driver interface connected to an upper virtual disk pool (Vpool) through the data manipulation unit 120.

Through this, the integrated storage management apparatus 100 may create one virtual disk (vdisk) when a registered service provider accesses it, and the created virtual disk may be managed within the virtual disk pool. In this case, the user may receive a plurality of storage services from a storage to which a storage service is registered through each virtual disk pool.

In addition, the multi-tenant-based integrated storage management method according to an embodiment of the present invention may provide a storage service (S440).

That is, in step S440, a storage service may be registered from a plurality of service providers, and provision of the storage service may be managed on a multi-tenant basis.

At this time, in step S440, the administrator may register the cloud storage 21 and the non-cloud storage 22 for providing storage services in the integrated storage management device 100 through the management GUI and configure a new service. .

At this time, in step S440, when the service provider subscribes and registers the service and uploads and creates a file, a cloud account can be created, and the uploaded file is cloud storage 21 or non-cloud storage at the discretion of the administrator. 22) can be saved.

At this time, step (S440) is a function of displaying, creating, modifying, and deleting the contents of the cloud service registered in the cloud storage 21 and the non-cloud storage 22 integrated in the integrated storage 20 through the management GUI. Can also provide.

The storage configuration is separate from the non-cloud storage 22, and the service of the cloud storage 21 may be separately provided together with the basic configuration.

In this case, in step S440, the function of the logical component may be independently configured as a server, a virtual system, or a container having a connection network in the form of a module or function having each individual function.

In this case, in step S440, the storage service may be registered in any one storage included in the integrated storage 20 corresponding to the service registration information input from the service provider.

In this case, in step S440, the storage service may be provided by setting a virtual storage in the storage in which the storage service is registered.

In this case, in step S440, the storage service is managed using a first path through which data moves and a second path through which data is controlled (Control Path) in order to prevent the I/O performance degradation of the storage service can do.

13 is a block diagram showing a computer system according to an embodiment of the present invention.

Referring to FIG. 13, the user client device 10 and the integrated storage management device 100 according to an embodiment of the present invention may be implemented in a computer system 1100 such as a computer-readable recording medium. As shown in FIG. 13, the computer system 1100 includes one or more processors 1110, memory 1130, a user interface input device 1140, and a user interface output device 1150 communicating with each other through a bus 1120. And a storage 1160. Further, the computer system 1100 may further include a network interface 1170 connected to the network 1180. The processor 1110 may be a central processing unit or a semiconductor device that executes processing instructions stored in the memory 1130 or the storage 1160. The memory 1130 and the storage 1160 may be various types of volatile or nonvolatile storage media. For example, the memory may include a ROM 1131 or a RAM 1132.

14 is a diagram showing an integrated storage system according to an embodiment of the present invention.

Referring to FIG. 14, an integrated storage system according to an embodiment of the present invention may include a user client device 10, an integrated storage management device 100, and an integrated storage 20.

First, a data storage federation (DSF) technology according to an embodiment of the present invention may correspond to a technology for providing a single virtual volume from multiple data sources of heterogeneous storage using storage virtualization.

Data virtualization may correspond to a technology that abstracts and manages multiple data resources into logical data resources regardless of the resource location or data structure.

In this case, various data resources may include files, databases, systems, storage, and the like.

In this case, the data storage integration may include various data resources other than the database.

DSF local storage may exist on the backend of the data storage consolidation, and may correspond to the physical storage device where the data is finally stored.

Physical storage devices can include on-premises storage (e.g., memory, SSD, HDD, SAS, iSCSI storage and NAS, etc.) and public cloud storage with complex management devices such as blocks, objects and files.

A single virtual volume may correspond to an entity that provides a virtual block device, virtual disk, or virtual file created using storage virtualization to a customer.

Customers may include end users, servers, operating systems, applications, and other storage devices from cloud service providers using a single user volume.

Storage Virtualization may correspond to a technology that consolidates various types of storage into a virtual storage pool and divides the virtual storage pool into a single virtual volume without physical operational limitations.

In this case, storage virtualization may not interfere with data access, and performance of the storage device may not be degraded.

A virtual storage pool (VPOOL) can correspond to a logical object that aggregates DSF local storage into a single virtual volume.

The abbreviations to be described below can be described as follows.

DSF: Data Storage Federation

API: Application Programming Interface

NAS: Network-Attached Storage

CSC: Cloud Service Customer

CSP: Cloud Service Provider

The data storage policy according to an embodiment of the present invention includes backup, replication, snapshot, automatic expansion, data migration, sales recovery, data caching, thin provisioning, auto-tiering, storage life (blocks, objects and files), etc. I can.

At this time, the data storage policy is basically set among the above components and can be reconfigured according to the request of the customer (user). It may also depend on the DSF local storage policy.

The reconfigured policy may be a policy reconfigured by the component when the DSF local storage does not support its own policy.

The data manipulation policy can select shared mode, including non-shared mode, read-only, write and copy options, and fragmentation options.

In addition, the integrated storage device according to an embodiment of the present invention can process customer metadata created by a customer to configure a customer environment, data manipulation metadata required for data manipulation, and storage management metadata used for DSF local storage. I can.

In this case, the integrated storage device according to an embodiment of the present invention may provide an integrated user interface for the CSP:DSM to use a single virtual volume for the CSC:CSU.

The unified user interface may include CSC:CSU's various storage type access mechanisms to access integration of interactions with its own data storage, data sharing, and single virtual volume building.

Storage types may include object-based storage, file-based storage, and block-based storage.

The access mechanism can represent different types of protocols depending on the type of storage for connecting a single virtual volume. Protocols may include iSCI for block device storage, SMB, NFS, SFTP, FTP for file-based storage, and Restful API for object-based storage.

CSP:FDSP may provide an interface for CSC:CSU to set policies.

To manage single virtual volumes, virtual storage pools and DSF local storage, CSP:DSM can provide a unified management interface to CSC:CSU.

In addition, the integrated storage device according to an embodiment of the present invention may correspond to data storage integration.

Data storage consolidation can provide a unified user interface to CSC:CSU to use a single virtual volume.

The unified user interface can integrate interactions with its own data storage, such as data sharing and access mechanisms for various storage types for CSC:CSU to access a single virtual volume.

Data storage integration can provide an interface for CSC:CSU to set policies.

Data storage consolidation allows DSF service providers to support parallel access to improve the performance of DSF services.

In this case, the DSF service provider may provide an interface for storage registration provided by the data storage provider.

The performance improvement may be related to data caching and data storage.

Data storage consolidation allows CSP:DSM to provide a unified management interface to CSC:CSU to manage a single virtual volume (virtual storage pool and DSF local storage).

Functions for data storage integration may include storage connection interfaces, data integration management, and data storage management.

A function related to the storage connection interface may be performed in the storage connection unit 110 according to an embodiment of the present invention.

The storage connection interface allows DSF service providers to support access mechanisms depending on the storage type.

The storage connection interface allows CSP:FDSP to collect and retrieve service information, including access mechanisms, when a single virtual volume is required for the storage type and CSC: CSU.

For example, the service information may correspond to the service catalog of CSP:FDSP.

The storage connectivity interface allows CSP:FDSP to ensure high-speed access to the global namespace for real data access from DSF local storage.

The global namespace can correspond to a technology that abstracts and integrates heterogeneous file systems across multiple storage devices and cloud storage. Global namespaces reduce the complexity of managing localized files, facilitate storage expansion, and transparently migrate data to reduce the number of mount points and share points. The global namespace is implemented in several ways, but the configuration of CSC:CSU can maintain the same access.

The storage connectivity interface allows CSC:CSU to provide a global namespace for consolidating and managing multiple file systems into DSF local storage.

The storage connection interface can provide separate management and data interfaces for CSP:DSM to prevent performance degradation of DSF services.

The storage connection interface allows CSP:DSM to independently configure and control all logical components and corresponding interfaces for self configuration.

In this case, self configuration means automatic configuration of logical components, and the DSF service provider can manage the configuration of each component built in a server, virtual system, or container as a connection network.

The storage connection interface allows CSP:DSM to manage the DSF local storage connection to join the unified storage to the DSF service.

To participate in unified storage, DSF local storage management can provide interfaces (such as object or block storage interfaces) and proxy interfaces to configure different types of storage interfaces. The DSF local storage proxy is a backend connection daemon that can automatically detect storage interfaces and register services.

The storage connection interface allows CSP:FDSP to use a secure storage interface for CSC:CSU and DSF local storage.

The storage connection interface can use CSP:DSM properties for CSC:CSU to use a single virtual volume.

The registration information may include the data storage service name, data storage specifications (size, caching, tier count encryption, on-premises storage support, etc.), and service protocol and cloud storage type.

The storage connection interface allows CSP:DSM to configure and provision data storage services to call a single virtual volume from registration information.

In addition, the function for integrated data management may be performed by the data manipulation unit 120 according to an embodiment of the present invention.

Data integration management allows DSF service providers to support the file itself and its contents as data.

The content type of a file can be structured, semi-structred, and unstructured.

Data integration management can support CSP:FDSP to aggregate distributed data in DSF local storage of multiple DSF local storage providers by corresponding API.

Data integration management allows CSP:DSM to manage data in CSC:CSU, which focuses on storage space elasticity and cost efficiency.

For example, data movement for resilience and cost efficiency of data storage space can be performed automatically without user intervention or recognition.

Data integration management can validate the CSP:FDSP to integrate the data of CSC:CSU.

In addition, functions related to data storage management may be performed by the data distribution and storage unit 130 and the backend storage management unit 140.

Data storage management allows CSP:FDSP to provide simultaneous access to multiple data storage providers to aggregate distributed data.

For data storage management, CSP:FDSP can support CSC:CSU delegating DSF local storage access rights.

Data storage management can be integrated with DSF local storage to provide a virtual pool of storage that can be viewed through a single system view.

Data storage management can provide read/write caches for CSP:FDSP to compensate for slower access speeds than on-premises.

The read/write cache can improve the performance of the storage, and a device that stores data can use a variety of devices for fast cache work.

For example, various devices for fast cache may include main memory, RAM-based disks, and SSDs.

For example, the cache hierarchy can be extended to basic memory for fast access. In addition, the main memory can use the approach used for SSDs due to capacity limitations. When the RAM-based cache area is exhausted, it can be automatically converted to an SSD area cache. When a DSF service customer performs a write operation, a write operation can be performed in the memory area for quick write response.

Data storage management allows CSP:FDSP to provide backup of the global namespace for high availability.

The backup of the global namespace is synchronized with the actual data, and high availability functions can be performed through clustering of multiple nodes (virtual machines or physical servers).

Data storage management, CSP:FDSP can support adding a single virtual volume according to the needs of DSF service customers such as block-based storage, file-based storage or other cloud storage.

In addition, functions related to provisioning and policy management may be performed by the provisioning and policy management unit 150.

Provisioning and policy management can provide configuration for setting data storage policies for CSC:CSU.

Provisioning and policy management can assist DSF service providers to manipulate data policies for DSF service customers.

For example, the data policy may include a non-shared mode and a shared mode including read-only, write, and duplicate.

Provisioning and policy management may include functions related to security policies (eg, data encryption) that support CSP: FDSP for data transmission to ensure data confidentiality of CSC:CSU.

For provisioning and policy management, CSP:FDSP can prevent data loss due to errors in the storage structure based on distributed storage and provide data recovery in case of system failure.

The integrated storage management apparatus 100 may handle various data types such as structured, semi-structred, and unstructured data to increase service quality as well as create a new service.

In this case, the integrated storage management apparatus 100 can efficiently handle and synthesize heterogeneous storages in order to use various data in the integrated storage 20, and can easily use the data.

In this case, the integrated storage management device 100 may provide a virtual storage pool of a single virtual volume (SINGLE VIRTUAL VOLUME) to the user client device 10.

In this case, the integrated storage management device 100 may execute various requests such as creating, storing, reading, updating, and deleting data on the integrated storage 20.

Data virtualization is a technology that manages multiple data resources without interruption regardless of the resource location or data structure.

Several data resources can include files, databases, systems, storage, and more.

The integrated storage 20 may be located at the back end of the integrated storage management device 100 and may correspond to physical storage devices in which data is finally stored.

Physical storage devices may include on-premises storage 22 (eg, memory, SSD, HDD, SAS, iSCSI storage and NAS, etc.) and public cloud storage 21 such as blocks, objects, and files.

A single virtual volume may correspond to an object provided to the user client device 10 as a virtual block device, a virtual disk, or a virtual file created using a virtual file.

The user client device 10 may include end users, servers, operating systems, applications, and other storage devices of a cloud service provider using a single virtual volume.

The integrated storage management device 100 may integrate different types of storage into a virtual storage pool using storage virtualization technology and divide the virtual storage pool into a single virtual volume without limitation of physical storage.

These single virtual volumes have no barriers to data access and less damage to the performance of the storage device.

The virtual storage pool may correspond to a logical object that provides the storages of the integrated storage 20 in a single virtual volume as a single virtual storage view.

As shown in FIG. 14, a virtual storage pool may be formed by an integrated storage 20 (cloud storage 21 and on-premises storage 22) connected to and adjusted to an API and an I/O interface. The integrated storage 20 may support block, file, and object types.

The integrated storage management device 100 may create and provide a single virtual volume storage to the user client device 10.

In this case, the integrated storage management device 100 may generate a single virtual volume storage through federation of the integrated storage 20 and may provide a single access point to the user client device 10.

In this case, the integrated storage management device 100 may support a single virtual volume storage using policy-based provision and management. The contract/operation matters can help to increase operational management on the operator side, and on the user side can help simplify and use a single virtual volume storage.

Users use the user client device 10 to create, store, and read user data (eg images for gallery, audios for music player, documents for collaboration, application data for service, and etc.) on their single virtual volume storage. You can use a single virtual volume storage for updates, updates and deletions.

When the user client device 10 connects to the single virtual volume storage of the unified storage management device 100, unified request commands may be executed as if the unified storage 20 has a different connection connection.

User data supported by the integrated storage management device 100 may or may not be distributed in terms of contract/operation.

The integrated storage management apparatus 100 may compress user data into data information such as a storage location, a data history, and a content type of a file in order to handle user data.

In this case, the integrated storage management apparatus 100 may generate data virtualization on the virtual storage pool using data abstraction.

At this time, the integrated storage management device 100 reduces data copying in the virtual storage pool and provides an environment for sharing data without copying or moving the original data, thereby finding data and handling data I/O. Can be reduced. The interaction that modulates the data can be based on the user's data operation/contract. For example, it may be based on data operation/contract policies such as read-only or overwriting and copying in the shared mode.

In this case, a single virtual volume may be built by different storages and connection sets of the unified storage.

15 is a diagram illustrating multiple storage types and an access mechanism for data access in an integrated storage system according to an embodiment of the present invention.

Referring to FIG. 15, the user client device 10 may request various service interfaces and storage types from the integrated storage management device 100.

In this case, the integrated storage management device 100 may provide a service interface to the user client device 10 by using a corresponding access mechanism.

In this case, the user client device 10 may use a storage type owned by itself.

At this time, the user client device 10 may be a general user (individually owns storage), some applications (APPLICATION PROGRAM), application servers (APPLICATION SERVER), and other cloud systems.

In this case, the integrated storage management device 100 may provide various types of storage.

The storage type may correspond to object-based storage, file-based storage, and block-based storage.

In this case, the integrated storage management device 100 may support an access mechanism based on a storage type.

The access mechanism may include different types of protocols depending on the storage type.

An example of a protocol may correspond to a protocol using iSCSI for block device storage, SMB for file-based storage, NFS, SFTP, FTP, and Restful API for object-based storage.

An example of service information may correspond to a service catalog for the integrated storage device 10 or the like.

16 is a diagram illustrating a data read/write cache and a parallel distributed file for improving performance according to an embodiment of the present invention.

Referring to FIG. 16, CSP:FDSP may provide a cache function for data stored in public cloud storage. Because data is transferred over the Internet, data stored in public cloud storage can be slower than on-premises storage. In addition, since data is automatically distributed to the public cloud storage without being recognized by CSC:CSU, a high-speed access function can be performed on data stored in the public cloud storage. CSP:FDSP can provide on-premises storage-level access speed to public cloud storage by caching data stored in public cloud storage to storage devices inside the cloud integrated storage operating platform.

CSC:CSU requests a single virtual volume from CSP:FDSP and can contain its own data storage.

CSP:FDSP can provide a storage system, appliance or device for integrating other storage.

DSF service providers can provide read/write caches to compensate for slower access speeds than on-premises.

The read/write cache may correspond to software for improving storage performance, and a device storing data for a cache function may be implemented using various devices for fast cache operation.

For example, various devices for fast cache operation may correspond to main memory, RAM-based disks, and SSDs.

The cache hierarchy can be extended to main memory for fast access. In addition, the main memory may use a method used for SSD due to capacity limitations. When the RAM-based cache area is exhausted, it can be automatically converted to an SSD area cache. When a DSF service customer performs a write operation, a write operation can be performed in the memory area for quick write response.

DSF service providers can use a variety of devices to provide high-speed access to the global namespace for real data access.

Global namespaces can abstract and unify heterogeneous file systems across multiple storage devices and cloud storage.

Global namespaces can significantly reduce the complexity of managing localized files, facilitate storage expansion, and transparently migrate data to reduce the number of mount points and share points. Global namespaces can be implemented in several ways, but clients can maintain the same access.

DSF service providers can provide backup of the global namespace for high availability. The backup of the global namespace is performed through real-time backup, and the backup of the global namespace can perform a high availability function through clustering of multiple nodes (virtual machines or physical sensors).

DSF service providers can support security policies (eg, data encryption) for data transmission to ensure the confidentiality of users' data.

DSF service providers can support aggregation of distributed data across heterogeneous data storage from multiple data storage providers.

DSF service providers can provide simultaneous access to multiple data storage providers to aggregate distributed data.

DSF service providers can support delegation of DSF service customers' access rights to heterogeneous storage.

17 is a diagram illustrating a use case of an integrated storage management system according to an embodiment of the present invention.

Referring to FIG. 17, it can be seen that a use case for the integrated storage management device 100, which is one storage system connected to the integrated storage 20 including various storage types, is shown. As shown in FIG. 17, regardless of the type of storage system, the user client device 10 is an integrated user view and can be regarded as an integrated storage. You may not use it. Accordingly, the integrated storage management function of the integrated storage management device 10 may display multiple storage systems of the storage to the user client device 10 as a single system by the integrated storage system or appliance. Furthermore, the integrated storage management device 100 may provide an integrated management interface.

In this case, the user client device 10 may request data storage from the integrated storage management device 100 and may own the requested data storage.

In this case, the integrated storage management apparatus 100 may provide a storage system, an appliance, or a device for integrating other storages.

In this case, the integrated storage management device 100 may variously support data storage such as block-based storage, file-based storage, or other cloud storage according to the request of the user client device 10.

In this case, the integrated storage management device 100 may provide an integrated user interface to the user client device 10 to access data storage for various types of service mechanisms.

In this case, the integrated storage management apparatus 100 may prevent data loss due to an error from a storage structure based on distributed storage, and may provide a data restoration function caused by a system error.

In this case, the integrated storage management apparatus 100 may provide a global name space.

In this case, the integrated storage management device 100 may provide a unified management interface to the user client device 10 in order to manage data storage.

In this case, the integrated storage management device 100 may integrate data storage by providing a user interface for policies and other options.

In this case, the integrated storage management device 100 may integrate and verify data of the user client device 10.

For example, CSC:CSU may correspond to unified storage, and CSC:CSU may include various storages. Thus, an integrated storage system or appliance can view multiple storage systems in storage as a single system. An integrated management interface can be provided as a function related to this management.

CSC:CSU may request data storage from a DSF service provider, and may have its own data storage.

CSP:FDSP allows storage systems, appliances or devices to integrate different storage.

DSF service providers can provide data storage displayed in a single system view through integration with on-premises storage, cloud storage and other storage.

The DSF service provider may correspond to the integrated storage management apparatus 100 according to an embodiment of the present invention.

DSF service providers can manage DSF service customer data with a focus on storage space resiliency and cost effectiveness.

For example, data movement for resilience and cost efficiency of a data storage space may be performed automatically without user intervention or recognition. Users can use data storage services with the same performance without knowing whether the data is stored in on-premises storage or in cloud storage.

DSF service providers can support a variety of data storage, such as block-based storage, file-based storage, or other cloud storage, depending on the needs of DSF service customers.

DSF service providers can provide a unified user interface for DSF service customers to access data storage for various types of service mechanisms.

DSF service providers can prevent data loss due to errors in storage structures based on distributed storage and provide data recovery in case of system failure.

DSF service providers can provide a global namespace for integrating and managing multiple file systems.

DSF service providers can provide a unified management interface to DSF service customers to manage data storage.

DSF service providers can provide user interfaces for policies and other options for data storage federation.

The DSF service provider can validate the DSF service customer's data to federate.

18 is an operation flow diagram illustrating a data storage registration process for an integrated storage service according to an embodiment of the present invention.

Referring to FIG. 18, after logging in (LOGIN), CSC:CSU may request registration of data storage cloud storage from CSP:FDSP (REGISTERING FOR CLOUD STRAGE).

In the case of data storage registration, CSC:CSU can log in through already registered authentication information and register the cloud storage and on-premises storage to be used (REGISTERING FOR ON-PREMISE STORAGE).

The registration process can be provided by CSP:DSM through a GUI.

CSC:CSU can register the service name, storage specification, data storage service protocol and cloud storage name and cloud storage type through GUI, set up virtual data storage (SETTING SIGLE VIRTUAL VOLUME), and create virtual data storage ( INVCOKING SINGLE VIRTUAL VOLUME).

CSC:CSU for virtual data storage may correspond to a user registered in CSP: DSM.

CSP:DSM can have each cloud storage service interface.

DSF service providers can provide registration information for DSF service customers to use virtual data storage.

The registration information may include the data storage service name, data storage specifications (size, caching, tier count, encryption, on-premises storage support, etc.), and service protocol and cloud storage type.

DSF service providers can invoke virtual data storage by configuring and provisioning data storage services in registration information.

19 is a block diagram showing an apparatus for processing sensitive data according to an embodiment of the present invention.

Referring to FIG. 19, a sensitive data processing apparatus 2100 according to an embodiment of the present invention includes a data non-protected area processing unit 2110 and a data protected area processing unit 2120, and the sensitivity of the cloud integrated story device 2200 By reading data, sensitive data may be processed according to the request of the client device 2010.

The cloud integrated storage device 2200 may store encrypted sensitive data.

The data unprotected area processing unit 2110 may read encrypted sensitive data of the cloud integrated storage device 2200 and transmit the encrypted sensitive data to the data protection area processing unit 2120 using the sensitive data storage endpoint.

The data protection area processing unit 2120 may decrypt the transmitted encrypted sensitive data and may wait for a data service command request from the data unprotected area processing unit 2110.

At this time, the data unprotected area processing unit 2110 may request a data service command to the data protection area processing unit 2120 using the sensitive data service endpoint after receiving the data service command from the client device 10 connected to the network. have.

At this time, the data protection area processing unit 2120 may perform data processing based on the sensitive data decoded above according to the received data service command, and then transfer the processing result of the sensitive data to the data unprotected area processing unit 2110. have.

In this case, the data non-protected area processing unit 2110 may transmit the processing result of the sensitive data to the client device 10.

FIG. 20 is a detailed block diagram illustrating an example of a cloud integrated storage device and a data unprotected area processing unit shown in FIG. 19. FIG. 21 is a detailed block diagram illustrating an example of a data unprotected area processing unit and a data protected area processing unit shown in FIG. 19.

Referring to FIG. 20, a cloud integrated storage device 2200 according to an embodiment of the present invention includes an encryption unit 2210, a key storage unit 2220, an on-premises storage 2230, and a cloud storage 2240. I can.

The encryption unit 2210 may encrypt sensitive data and store a key used for encryption in the key storage unit 2220.

The key used for encryption can be encrypted with the master key and then stored in the key storage to prevent leakage.

In this case, the encryption unit 2210 may store the encrypted sensitive data in the on-premises storage 2230 and the cloud storage 2240.

In addition, the data unprotected area processing unit 2110 of the sensitive data processing apparatus 2100 according to an embodiment of the present invention includes a sensitive data transmission unit 2111, a key transmission unit 2112, a sensitive data service calling unit 2113, and It may include a client service API unit 2114.

In addition, the data protection area processing unit 2120 of the sensitive data processing apparatus 2100 according to an embodiment of the present invention includes a sensitive data service gateway unit 2121, a sensitive data storage unit 2122, a key storage unit 2123, and A sensitive data decoding unit 2124 and a sensitive data processing unit 2125 may be included.

In this case, the sensitive data service gateway unit 2121 may include a sensitive data storage endpoint 3211, a key storage endpoint 3212, and a sensitive data service endpoint 3213.

The sensitive data service gateway unit 2121 may provide a data processing service for sensitive data.

In this case, the sensitive data service gateway unit 2121 may provide a result of processing sensitive data in the data protection area as a data non-protection area.

The sensitive data storage endpoint 3211 may receive encrypted sensitive data transmitted from the data unprotected area.

The key storage endpoint 3212 may receive a decryption key for decrypting the encrypted sensitive data from the non-data protected area.

In this case, the sensitive data service gateway unit 2121 may further include an endpoint that receives a call to start transmission of sensitive data and an endpoint that receives a call to end transmission of the sensitive data from the data unprotected area.

The sensitive data transfer unit 2111 reads encrypted sensitive data stored in the cloud integrated storage device 2200, and transfers the encrypted sensitive data using the sensitive data storage endpoint 3211 of the data protection area processing unit 2120. I can.

The sensitive data storage unit 2122 may store encrypted data received from the sensitive data storage endpoint 3211 in a memory inside the data protection area.

The key transfer unit 2113 receives the decryption key from the key storage unit 2220 of the cloud integrated storage device, and stores the decryption key through the key storage endpoint 3212 of the data protection area processing unit 2120. ) Can be stored in the tag-key storage unit 2123a. The tag-key storage unit 2123a may store a tag for encrypted sensitive data and a corresponding decryption key.

The sensitive data decryption unit 2124 may extract the decryption key from the tag-key storage unit 2123a and decrypt the encrypted sensitive data using the decryption key.

In this case, the client device 2010 may request a sensitive data service by calling the client service API unit 2111 of the sensitive data processing device 2100 through a network to receive a data service.

The sensitive data service calling unit 2112 may request a data service command to the data protection area using the sensitive data service endpoint 3213.

The sensitive data service gateway unit 2121 may perform a data processing service by calling the sensitive data processing unit 2125 called by the sensitive data service calling unit 2112.

The sensitive data processing unit 2125 may process the decrypted sensitive data according to a data service request and store a processing result of the generated sensitive data as processing result data. As the decrypted sensitive data is securely protected inside the data protection area, leakage to the outside may be prevented at the source. The processing result data may be transmitted to the data unprotected area through the sensitive data service gateway unit 2121, and then the processing result of the sensitive data may be transmitted to the client device 2010.

The data non-protected area of the data non-protected area processing unit 2110 is an area in which there is a possibility of data leakage, and sensitive data in the data non-protected area may exist in an encrypted state to prevent leakage.

In this case, the non-data protected area does not directly process sensitive data, and the sensitive data and a key for decrypting the sensitive data may be transferred to the data protection area.

In addition, the data unprotected area processing unit 2110 may receive a sensitive data service command from the client device 2010 and may request a sensitive data service command to the data protection area.

The data protection area of the data protection area processing unit 2120 may be fundamentally blocked from data leakage. The data protection area may not provide all input/output functions, including storage input/output, network input/output, and user input/output, which are provided by general operating systems.

In addition, the data protection area may block access to the memory inside the data protection area from outside the data protection area based on a hardware function or a virtualization function of the CPU.

At this time, since the data protection area can be accessed only through the sensitive data service endpoint, and the sensitive data service endpoint provides only predefined services, all other access can be blocked.

Accordingly, data inside the data protection area is absolutely inaccessible from the outside, and data leakage may be fundamentally blocked.

In this case, the data protection area includes at least one endpoint for processing sensitive data, and the sensitive data may be processed using an endpoint called from the data non-protection area.

At this time, the data protection region is an endpoint that receives a call to start transmission of the sensitive data from the data unprotected region, an endpoint that receives the decryption key, an endpoint that receives the sensitive data to the data protection region, and the It may include an endpoint that is called to terminate the delivery of sensitive data.

In this case, the endpoint included in the data protection area may check a tag preset in the service argument of the sensitive data, and process the sensitive data using information corresponding to the tag.

FIG. 22 is a detailed block diagram illustrating an example of a sensitive data service gateway unit shown in FIG. 21.

Referring to FIG. 22, the sensitive data service gateway unit 2121 includes a sensitive data processing execution unit 3214, a service parameter copy unit 2126, a processing result copy unit 2127, and a data unprotected memory area processing unit ( 128) and a data protection memory area processor 2129 may be further included.

The sensitive data service calling unit 2112, the key transmission unit 2113, and the sensitive data transmission unit 2114 of the data non-protected area processing unit 2110 receive a service argument of sensitive data required for a service request, and the data non-protected memory area processing unit 2128. It can be stored as a service argument.

The service argument copying machine 2126 may copy the sensitive data to the data protection memory area processing unit 2129 as a service argument.

The data protection area processing unit 2120 may store the processing result data in the data protection memory area processing unit 2129 as processing result data. It can be copied as processing result data.

At this time, the data protection area processing unit 2120 stores the service argument of the sensitive data in the data non-protected memory area processing unit 2128 through the sensitive data service gateway unit 2121, and the data non-protected memory area processing unit 2128 The service factor of the sensitive data stored in the data protection memory area processing unit 2129 may be copied and stored, and the sensitive data may be processed using the service factor of the sensitive data stored in the data protection memory area processing unit 2129.

At this time, the data protection area processing unit 2120 stores the processing result of the sensitive data in the data protection memory area processing unit 2129 through the sensitive data service gateway unit 2121, and the data protection memory area processing unit 2129 ), the processing result of the sensitive data stored in the data non-protected memory area processing unit 2128 is copied and stored, and the processing result of the sensitive data stored in the data non-protected memory area processing unit 2128 is transferred to the data non-protected area processing unit 2110. I can deliver.

The sensitive data processing execution unit 3214 includes a plurality of units inside the data protection area processing unit 2120 corresponding to the plurality of endpoints called by the data non-protection area processing unit 2110 (sensitive data processing unit 1-N 2125). , The sensitive data decryption unit 2124, the key storage unit 2123, and the sensitive data storage unit 2122) may be called.

Referring to FIG. 13, the sensitive data processing apparatus 2100 according to an embodiment of the present invention may be implemented in a computer system 1100 such as a computer-readable recording medium. As shown in FIG. 13, the computer system 1100 includes one or more processors 1110, memory 1130, a user interface input device 1140, and a user interface output device 1150 communicating with each other through a bus 1120. And a storage 1160. Further, the computer system 1100 may further include a network interface 1170 connected to the network 1180. The processor 1110 may be a central processing unit or a semiconductor device that executes processing instructions stored in the memory 1130 or the storage 1160. The memory 1130 and the storage 1160 may be various types of volatile or nonvolatile storage media. For example, the memory may include a ROM 1131 or a RAM 1132.

In this case, the sensitive data processing apparatus 100 according to an embodiment of the present invention includes one or more processors 1110 and an execution memory 1130 storing at least one program executed by the one or more processors 1110. Including, the at least one program reads the sensitive data stored in the storage device 2200 from the data non-protected area, transfers the sensitive data to the data protection area by using the sensitive data storage endpoint of the data protection area, In the data protection area, when receiving a sensitive data service command requested by the client device 2010 from the data non-protection area, the sensitive data is processed using at least one endpoint, and in the data non-protection area, the client device ( 2010) can deliver the processing result of the sensitive data.

In this case, in the data protection area, an input/output function provided by an operating system is blocked, and access to a memory from outside the data protection area is blocked based on a hardware function and a virtualization function.

At this time, the at least one program receives a decryption key for decrypting the encrypted sensitive data in the data non-protection area from the storage device 200, and uses the key storage endpoint of the data protection area. The decryption key can be transferred to the data protection area.

At this time, the at least one program decrypts the sensitive data using the decryption key in the data protection area, and the sensitive data from the client device received from the data unprotected area using the sensitive data service endpoint The decrypted sensitive data can be processed by a service command.

In this case, the at least one program may store the processing result of the sensitive data through the sensitive data service gateway in the data protection area, and transmit the processing result of the sensitive data to the non-data protected area.

In this case, the at least one program stores the service factor of the sensitive data in the data non-protected memory area through the sensitive data service gateway in the data protection area, and the service factor of the sensitive data stored in the data non-protected memory area. The sensitive data may be copied and stored in a data protection memory area, and the sensitive data may be processed using a service factor of the sensitive data stored in the data protection memory area.

In this case, the at least one program stores the processing result of the sensitive data in the data protection memory area through the sensitive data service gateway in the data protection area, and the processing result of the sensitive data stored in the data protection memory area May be copied to the data non-protected memory area and stored, and a result of processing sensitive data stored in the data non-protected memory area may be transmitted to the data non-protected area.

In this case, the data protection area includes at least one endpoint for processing the sensitive data, and the sensitive data may be processed using an endpoint called from the data non-protection area.

At this time, the data protection region is an endpoint that receives a call to start transmission of the sensitive data from the data unprotected region, an endpoint that receives the decryption key, an endpoint that receives the sensitive data to the data protection region, and the It may include an endpoint that is called to terminate the delivery of sensitive data.

At this time, the at least one program can process the sensitive data using the information corresponding to the tag, and the endpoint included in the data protection area checks a tag preset in the service argument of the sensitive data. have.

23 is an operation flow diagram showing a method of processing sensitive data according to an embodiment of the present invention.

Referring to FIG. 23, in a method for processing sensitive data according to an embodiment of the present invention, first, a client device 2010 may request a sensitive data service using a client service API of the sensitive data processing device 2100 (S2310). .

In addition, in step S2310, sensitive data stored in the storage device may be read from the non-data protected area, and the sensitive data may be transmitted to the data protected area using a sensitive data storage endpoint.

In this case, in step S2310, in the data unprotected area, a decryption key for decrypting the encrypted sensitive data is received from the storage device, and the decryption key is transferred to the decryption key using a key storage endpoint in the data protection area. It can be delivered to the data protection area.

In addition, the sensitive data processing method according to an embodiment of the present invention provides a sensitive data service to the data protection area processing unit 2120 by the data unprotected area processing unit 2110 of the sensitive data processing device 2100 using a sensitive data service endpoint. A command can be called (S2320).

In addition, in the sensitive data processing method according to an embodiment of the present invention, the data protection area processing unit 2120 of the sensitive data processing apparatus 2100 stores the sensitive data processing and the derived result in the processing result data, and the data unprotected area processing unit The processing result of the sensitive data may be transmitted to 2110 (S2330).

That is, in step S2330, when a sensitive data service command requested by the client device 2010 is received from the data unprotected area processing unit 2110, the sensitive data may be processed using at least one endpoint.

At this time, step (S2330) decrypts the sensitive data using the decryption key in the data protection area, and from the client device 2010 received from the data unprotected area using the sensitive data service endpoint. The decrypted sensitive data may be processed by a sensitive data service command.

In this case, in step S2330, the processing result of the sensitive data may be stored in the data protection area through the sensitive data service gateway, and the processing result of the sensitive data may be transmitted to the data unprotected area processing unit 2110.

In this case, in step S2330, in the data protection area, the service factor of the sensitive data is stored in a data unprotected memory area through the sensitive data service gateway, and the service factor of the sensitive data stored in the data unprotected memory area is data The sensitive data may be copied and stored in a protected memory area, and the sensitive data may be processed using a service factor of sensitive data stored in the data protection memory area.

In this case, in step S2330, in the data protection area, the processing result of the sensitive data is stored in the data protection memory area through the sensitive data service gateway, and the processing result of the sensitive data stored in the data protection memory area is stored. The data may be copied and stored in the non-data protected memory area, and a result of processing sensitive data stored in the data non-protected memory area may be transmitted to the data non-protected area.

In addition, in the sensitive data processing method according to an embodiment of the present invention, the data non-protected area processing unit 2110 may transmit the processing result of the sensitive data to the client device 2010 (S2340).

In addition, in the sensitive data processing method according to an embodiment of the present invention, the client device 2010 may receive a processing result of the sensitive data in response to the sensitive data service request from the sensitive data processing device 2100 (S2350).

24 is a flowchart illustrating a method of processing sensitive data in a data unprotected area processing unit and a data protected area processing unit according to an embodiment of the present invention.

Referring to FIG. 24, in the method for processing sensitive data according to an embodiment of the present invention, the data unprotected area processing unit 2110 may first read encrypted sensitive data from the cloud storage device 2200 (S2410).

In addition, the sensitive data processing method according to an embodiment of the present invention may divide the encrypted sensitive data into N segments (S2420).

In addition, the sensitive data processing method according to an embodiment of the present invention may notify the data protection area processor 2120 of the start of transmission of encrypted data by calling the put_data_start endpoint (S2430).

In this case, the service factor 1 tag is a tag that identifies encrypted sensitive data, and the service factor 2 may represent the total size of the encrypted data.

In addition, in the method for processing sensitive data according to an embodiment of the present invention, the data protection area processing unit 2120 may prepare to store encrypted sensitive data by allocating a memory of a size designated to the endpoint inside the data protection area. (S4300)

In addition, in the method for processing sensitive data according to an embodiment of the present invention, the data unprotected area processing unit 2110 may inform the data protection area processing unit 2120 of a decryption key for decrypting the encrypted sensitive data using the put_key endpoint. There is (S2440).

In this case, the service factor 1 tag is a tag that identifies encrypted sensitive data, and the service factor 2 is a key for decrypting the encrypted sensitive data.

In addition, in the method for processing sensitive data according to an embodiment of the present invention, the data protection area processing unit 2120 may store the decryption key and the tag together in the tag-key storage unit 2123a of the key storage unit 2123 (S4400). ).

In addition, in the method for processing sensitive data according to an embodiment of the present invention, the data unprotected area processing unit 2110 divides the encrypted sensitive data into segments using the put_data endpoint and transfers each segment to the data protection area processing unit 2120. Yes (S450).

At this time, the service factor 1 tag is a tag that identifies encrypted sensitive data, the service factor 2 data is the encrypted data segment to be transferred, the service factor 3 size is the size of the data to be transferred, and the service factor 4 segment number is This is the number of the segment to be delivered.

At this time, the put_data endpoint transmits data in units of segments, and thus may be repeatedly performed until the entire encrypted data is delivered (S2460).

In addition, in the method for processing sensitive data according to an embodiment of the present invention, the non-protected area processing unit 110 may notify the data protection area processing unit 2120 that transmission of data corresponding to the tag has been completed using the put_data_end endpoint ( S2470).

In this case, the tag, which is the service factor of 1, is a tag that identifies encrypted data.

In addition, the sensitive data processing method according to an embodiment of the present invention uses a key stored in the tag-key storage unit 2123a for encrypted sensitive data transmitted by the data protection area processing unit 2120 according to the call of the put_data_end endpoint. Then, it can be decrypted (S4700).

In addition, in the sensitive data processing method according to an embodiment of the present invention, after step S4700, a request for a sensitive data service from the client device 2010 may be waited (S4800).

25 is a flowchart illustrating a method of processing sensitive data in a sensitive data service gateway unit according to an embodiment of the present invention.

Referring to FIG. 25, in a method for processing sensitive data in a sensitive data service gateway unit according to an embodiment of the present invention, service argument data may be received first (S2510).

In this case, in step S2510, a service factor of sensitive data required for a service request may be stored in the data unprotected memory area processing unit 2128 as a service factor.

The sensitive data processing method in the sensitive data service gateway unit according to an embodiment of the present invention may call endpoints inside the sensitive data service gateway unit 2121 (S2520).

In addition, in the sensitive data processing method in the sensitive data service gateway unit according to an embodiment of the present invention, the service argument copying machine 2126 may copy the sensitive data to the data protection memory area processor 2129 as a service argument ( S2530).

In addition, the sensitive data processing method in the sensitive data service gateway unit according to an embodiment of the present invention may call processing units inside the data protection area processing unit (S2540).

That is, in step S2540, a plurality of units within the data protection area processing unit 2120 corresponding to a plurality of called endpoints (sensitive data processing unit 1-N 2125, sensitive data decoding unit 2124), key The storage unit 2123 and the sensitive data storage unit 2122 may be called.

In addition, the sensitive data processing method in the sensitive data service gateway unit according to an embodiment of the present invention may complete data processing and store the processing result in the processing result data (S2550).

That is, in step S2550, the processing result of the processed sensitive data may be stored in the data protection memory area processing unit 2129 as processing result data.

In addition, the sensitive data processing method in the sensitive data service gateway unit according to an embodiment of the present invention may copy processing result data (S2560).

That is, in step S2560, the processing result data of the data unprotected memory area processing unit 2128 may be copied through the processing result copying unit 2127.

At this time, in steps S2510 to S2550, the service argument of the sensitive data is stored in the data unprotected memory area processing unit 2128 through the sensitive data service gateway unit 2121, and the data unprotected memory area processing unit ( The service factor of the sensitive data stored in 2128) is copied to the data protection memory area processing unit 2129 and stored, and the sensitive data can be processed using the service factor of the sensitive data stored in the data protection memory area processing unit 2129. have.

At this time, in steps (S2550) to (S2570), the processing result of the sensitive data is stored in the data protection memory area processing unit 2129 through the sensitive data service gateway unit 2121, and the data protection memory area processing unit The processing result of the sensitive data stored in (2129) is copied to the data non-protected memory area processing unit 2128 and stored, and the processing result of the sensitive data stored in the data non-protected memory area processing unit 2128 is transferred to the data non-protected area processing unit 2110. ).

26 and 27 are block diagrams showing in detail an integrated storage management function according to an embodiment of the present invention.

Referring to FIGS. 26 and 27, a GLOBAL REGISTRY may transmit and receive data operation write buffer or read cache (DATA OPERATION WRITE BUFFER OR READ CACHE) and data operation metadata (DATA OPERATION METADATA).

Provision of a single virtual volume and a virtual storage pool (PROVISION OF SINGLE VIRTUAL AND VIRTUAL STORAGE POOL) can transmit and receive a virtual storage pool management unit (VIRTUAL STORAGE POOL MANAGEMENT) and storage operation and metadata (STORAGE OPERATION & METADATA).

The data storage policy management and data manipulation unit (POLICY MANAGEMENT OF DATA STORAGE AND DATA MANIPULATION) transmits and receives data operation write buffer or read cache (DATA OPERATION WRITE BUFFER OR READ CACHE) and data manipulation policy (POLICY FOR DATA MANIPULATION). I can.

The data storage policy management and data manipulation unit (POLICY MANAGEMENT OF DATA STORAGE AND DATA MANIPULATION) can transmit and receive the ENHANCEMENT OF DATA MANIPULATION and POLICY FOR ENHANCEMENT.

The data storage policy management and data manipulation unit (POLICY MANAGEMENT OF DATA STORAGE AND DATA MANIPULATION) can transmit and receive the storage structuring unit (STORAGE STRUCTURING) and the POLICY FOR STORAGE OF TIER.

In addition, DSF function requirements according to an embodiment of the present invention can be described as follows.

CSP:DMP (Cloud Service Provider: Data Manipulation Provider) can provide CSC:CSU data recovery from system failure.

CSP:DMP can provide DSF data migration to usable DSF local storage, providing storage space elasticity and cost efficiency.

CSP:DMP can provide validation of DSF data for data manipulation to ensure data integrity.

CSP:DMP can provide data consistency of CSC:CSU for replicated DSF data.

CSP:DMP can support the data transparency of CSC:CSU.

CSP:SFP (Cloud Service Provider:Storage Federation Provider) can provide a single virtual volume optimization according to the purpose of CSC:CSU.

CSP:SFP can provide global registry backup for high availability.

In addition, the data manipulation unit 120 according to an embodiment of the present invention may provide an enhanced management function for manipulating data.

ENHANCED MANAGEMENT can replicate fragmentation for distribution to DSF local storage.

These replicas using the same data are deployed on DSF local storage and can be shared with other servers in different locations for high availability.

Enhanced management functions can keep up-to-date data between duplicate and original data.

The enhanced management function can determine the copy distribution according to the DSF local storage information.

For example, in the information of DSF local storage, slow storage can be easily excluded from DSF local storage for distribution of replication.

Enhanced management capabilities can backup DSF local storage by taking snapshots.

For example, a snapshot can represent data information at a specific point in time to quickly provide a copy of the data. Several types of snapshot techniques can be used, such as copy-on-write snapshots, clones, split mirror snapshots, and redirection-on-write snapshots.

Enhanced management capabilities can restore DSF local storage with the latest snapshots.

For example, enhanced management capabilities enable quick and easy access to data for backup and recovery using snapshots.

Enhanced management capabilities allow DSF local storage to be migrated if the DSF local storage is full or fails.

For example, if migration can be excluded from DSF local storage at the request of CSC due to poor performance or insufficient capacity of the existing storage, the data from the existing storage can be moved to the new storage and the new storage can be accessed instead of the existing storage have.

Enhanced management capabilities can back up the DSF global registry for high availability.

Global registry backups, for example, allow a secondary DSF global registry to provide a single virtual volume and virtual storage pool to perform failover.

Enhanced management functions can provide error correction to prevent data loss.

For example, the error correction function may correspond to a technology that prevents data loss during data transmission, such as a Cyclic Redundancy Code (CRC), a checksum, a cryptographic hash function, or forward error correction.

Enhanced management capabilities can keep up-to-date data locations in the global registry for data transparency.

Data transparency can correspond to the location of the data and the ability to access and work with the data, regardless of the location of the data and the reported data being accurate and from an official source.

Enhanced management functions can prevent data leakage while handling sensitive data for data protection.

Sensitive data can correspond to financial information, health information, personally identifiable data, etc.

In this case, the sensitive data may be processed by the sensitive data processing apparatus 2100 described above.

The sensitive data processing apparatus 2100 may prevent external intrusion by adding a data protection area and processing data in the data protection area to block all I/O interfaces.

The data protection domain can correspond to a HW or SW structure that uses a security gateway or API to copy sensitive data to the protected area, decrypt the encrypted sensitive data, handle CSC's service operations, and return results.

Reinforced management functions can apply reinforcement policies.

Reinforcement policies can include replication, backup, snapshot, migration, error correction, and data protection.

In addition, the data fragmentation function for DSF distribution according to an embodiment of the present invention may provide the following functions.

CSP:SFP can provide performance information of DSF local storage in storage management metadata.

CSP:SFP can provide virtual storage pool optimization by considering the performance of DSF local storage.

The data fragmentation function for deployment can receive DSF local storage and fragmentation size information from the virtual storage pool management.

Examples of DSF local storage information may include credentials, access mechanisms, endpoints, storage capabilities, and storage capacity.

The data fragmentation function for distribution can set the maximum fragment size.

The data fragmentation function for distribution can collect data from the CSC from the write buffer when the data fills the buffer.

The maximum fragment size can be determined depending on the storage's I/O bandwidth, storage capacity, and cache usage. Large fragment sizes can be bulk copied to DSF local storage, and smaller fragment sizes can make it difficult to fit into the cache size.

The data fragmentation function for deployment can verify the fragment size in virtual storage pool management.

The data fragmentation function for distribution can receive the data from the CSC in the write buffer for storage in the DSF local storage.

The data fragmentation function for distribution can transfer the requested CSC data from the DSF local storage to the cache when a cache miss occurs.

The data fragmentation function for distribution can verify and apply fragmentation policies.

Examples of fragmentation policies may include fragmentation size, number of fragmentation, number of parity bits, number of fragmentation per storage, and the like.

28 is a diagram showing an automatic layering structure of a cloud infrastructure system according to an embodiment of the present invention.

Referring to FIG. 28, it can be seen that an automatic layering structure of a cloud infrastructure system according to an embodiment of the present invention is shown.

The cloud storage according to an embodiment of the present invention may perform a policy-based integrated storage automatic tiering function.

In this case, the integrated storage management apparatus 100 according to an embodiment of the present invention may perform a policy-based integrated storage automatic tiering function.

That is, the integrated storage management device 100 that performs the policy-based integrated storage automatic tiering function may correspond to an integrated storage management device supporting a layered structure.

Referring to FIG. 2, the backend storage management unit 140 may perform a policy-based integrated storage automatic tiering function.

The integrated storage management apparatus supporting a layered structure according to an embodiment of the present invention may automatically distribute and store data in various storage layers.

The integrated storage management device supporting a hierarchical structure, which is a CiS operating platform according to an embodiment of the present invention, can manage various storages such as main memory, SSD, NVME, HDD, SAS, iSCSI storage, object storage, and public cloud storage.

Storage managed by the integrated management story device 100 according to an embodiment of the present invention may have different characteristics in terms of access speed and capacity.

For example, main memory can provide the highest access speed, but the least storage capacity.

SSD, HDD, iSCSI storage and public cloud storage can provide more storage capacity, although the access speed is slower in the order described.

Supporting a layered structure The integrated storage management device may layer storages based on characteristics of the storages.

In this case, the integrated storage management device supporting a hierarchical structure may store the initially generated data in a high-speed storage, and when the frequency of access to the data decreases, the data may be moved to the storage of a lower layer.

In this case, the integrated storage management device supporting the layered structure may finally store the data in the public cloud storage when access to the data is terminated.

In this case, the integrated storage management device supporting a layered structure may move data between various storage tiers according to the characteristics of the data.

In this case, the storage layer managed by the integrated storage management device supporting the layered structure may include a performance tier, a capacity tier, and an archive tier.

In this case, the storage layer may be configured based on a policy.

As shown in FIG. 28, the performance class layer may include all memories or flash storage (PCIe FLASH, SSD) of a backend stage.

The capacity class tier may include on-premises storage (HDD, SAN, ON-PREMISE DISK STORAGE, ON-PREMISE OBJECT STORAGE) that securely stores data in multiple data centers or local storage.

The storage class tier may include public cloud storage (PUBLIC CLOUDE STORAGE) that keeps data secure.

29 is a diagram illustrating types of storage in a hierarchical structure according to an embodiment of the present invention.

Referring to FIG. 29, it can be seen that the types of storage in a hierarchical structure are shown.

In this case, the integrated storage management device supporting a layered structure may automatically allocate the best possible storage layer for a specific data volume by using a data movement or copy function.

In this case, the integrated storage management device supporting a hierarchical structure may access a hierarchical structure for read/write by allocating storage types that perform various functions in order to increase storage management performance. The types of allocated storage types are as follows.

Location based storage management strategies can store the exact location where data is placed.

That is, the integrated storage management device supporting a hierarchical structure may store an exact location of a storage in which data (actual value) is stored in metadata of each address.

The location-based storage management strategy knows the exact location of the data, even if the data changes frequently, so reads can be performed very quickly.

However, since the location-based storage has no history, if the address is overwritten, the location of the old value may be lost because the location of the new data is included in the address.

The location-based storage management strategy can be managed in a write cache (WRITE CACHE), and can be allocated to a PERFORMANCE TIER.

Time based storage management strategy can use time information to identify the time the data was recorded.

In other words, the integrated storage management device supporting a hierarchical structure may perform a log-type approach in which all data writes are added as a log to store the records in sequence.

In this case, the integrated storage management device supporting a hierarchical structure may add time information to the end of the log instead of finding an appropriate location whenever there is new data to be recorded.

The time-based storage management strategy always has all the records of the volume (all writes are added), so you can implement a snapshot by ending the log and starting a new log file.

However, in the time-based storage management strategy, data reading time may be slowed down because data is distributed to other log files (snapshots) after a certain period of time.

Also, a time-based storage management strategy requires moving from the last log file to the first log file to identify the last time the address was written to find the latest value written for an address.

In addition, time-based storage management strategies cannot perform additional strategies indefinitely, and garbage collection processes can also be used to reclaim data spaces that require very long time, such as retention periods.

The time-based storage management strategy can be managed in the storage backend (STORAGE BACKEND) and can be assigned to the CAPACITY TIER and the ARCHIVE TIER.

The Content Addressable Storage (CAS) strategy may indicate an identifier (eg, hash value) to each write.

The integrated storage management device supporting a hierarchical structure may calculate a hash value from the contents of the stored information.

An integrated storage management device supporting a hierarchical structure can store hashes and data as'key/value' pairs.

That is, if the hashes match, it may mean that data exists behind the corresponding hash key.

The integrated storage management device supporting a hierarchical structure can check whether an object is stored only once by using a hash.

Therefore, the content addressable storage strategy can be mainly used in a storage solution that provides a deduplication function. However, a content-addressable storage strategy cannot be used to write or store a lot of data efficiently, and it requires some overhead to maintain an ordered hash, so it can only be used if the data does not change frequently.

The content addressable storage strategy may be managed in a read cache (READ CACHE), and may be allocated to a PERFORMANCE TIER.

Layered structure support The integrated storage management device may support a layered structure for each storage by combining the advantages and disadvantages of the storage strategies.

The integrated storage management device supporting a layered structure can perform caching using an SSD or PCIe flash card inside the system.

The integrated storage management device supporting a layered structure may include a read cache, a write cache, and a storage backend.

The read cache is implemented as CAS (Content-addressable storage), so it can provide fast performance and deduplication for frequently used data.

The write cache may be implemented using Location Based Storage.

The storage backend can be implemented using time-based storage by counting writes that occur together at a specific time.

Time-based storage management strategies can provide features such as zero-copy snapshots, cloning and easy cloning.

30 is a block diagram showing an integrated storage management apparatus supporting a hierarchical structure according to an embodiment of the present invention. FIG. 31 is a detailed block diagram illustrating an example of a backend interface proxy unit shown in FIG. 30.

Referring to FIG. 30, the integrated storage management device supporting a hierarchical structure according to an embodiment of the present invention includes a data management unit 141, a backend interface proxy unit 142, a backend management unit 143, a name space management unit 144, A local backend interface management unit 145 and a global backend interface management unit 146 are included.

In this case, the components of the integrated storage management device supporting a hierarchical structure may be included in the backend storage management unit 140 of the integrated storage management device 100 illustrated in FIG. 2.

CiS operation platform such as the integrated storage management device 100 according to an embodiment of the present invention is a back-end storage interface for integrating heterogeneous storage devices through the back-end storage management unit 140 and providing data operation elasticity according to performance or scalability. Function can be provided.

The backend interface proxy unit 142 may support interfaces of heterogeneous storages to provide various storages to the data management unit 141 as a single virtual storage.

The backend interface proxy unit 142 may implement a proxy for connecting the configured backend storage units with the data management layer of the data management unit 141 and storing data delivered by the data management layer according to the storage type of the backend storage.

The backend interface proxy unit 142 may perform a function of a storage router connected from the user's storage to the backend, and may perform a function of storing a data object coming from a volume driver as a backend.

The backend interface proxy unit 142 may manage storages such that one proxy exists for each storage registered as a pool.

The backend interface proxy unit 142 may connect a local storage backend and a global storage backend.

The local storage backend may include on-premises storage devices that exist in single nodes and cluster nodes.

The Global Storage Backend may include public or private cloud-based storage services.

The local backend interface manager 145 may perform a connection method and a read/write function for a local storage backend.

In this case, the local backend interface management unit 145 may store the result of performing the read/write function in the final storage stage.

The global backend interface manager 146 may perform a connection method and a read/write function for a global storage backend.

In this case, the global backend interface management unit 146 may store the result of performing the read/write function in the final storage stage.

Unlike the local storage backend, the global storage backend does not have a storage in the system node, but a user-only storage in a private or public-based cloud storage through access to a cloud storage service.

Accordingly, the global backend interface management unit 146 may manage access information of the cloud storage service.

Referring to FIG. 31, the backend interface proxy unit 142 may include a backend connection management unit 142a.

The backend connection management unit 142a may include a garbage collector, a connection pool, a lock manager, a partial read counter, and a connection deleter. have.

The Garbage Collector can handle and correct system errors.

Storage pools can provide an interface for access.

The lock manager can provide a locking mechanism on the system.

The partial read connector can execute a partial read command on the system.

The Connection Deleter can perform a function of removing backend connections on the system.

32 is a diagram illustrating an operating environment of an integrated storage management apparatus supporting a hierarchical structure according to an embodiment of the present invention.

Referring to FIG. 32, it shows a cloud data access function for an application to utilize data in a public cloud connected to CiS, a remote system, and an on-premises environment in which CiS is driven.

The CiS operation platform can provide a function to perform data stored through CiS in external cloud computing resources through an application with guaranteed security. At this time, the executed application may be interlocked with the CiS system. Through this, it is possible to reduce the risk of users' data exposure and activate the use of computing resources in the public cloud.

The CiS operating platform can share data stored in remote public cloud storage to on-premises storage, and when storage fails, storage can be restored by replacing storage or adding new storage.

The user can store data in on-premises storage and public cloud storage according to data characteristics through an application in an on-premises environment in which CiS is executed, according to an embodiment of the present invention.

In this case, the integrated storage management device supporting a hierarchical structure may separately store metadata, protect data communication, and encrypt data to ensure security for data.

The integrated storage management device supporting a hierarchical structure may perform separate storage of metadata separately for storing encrypted data and metadata separately in public cloud storage and on-premises storage.

The metadata may include information about the encryption key and data.

The integrated storage management device supporting a hierarchical structure can store encrypted data in public cloud storage and store metadata related to the encrypted data in on-premises storage.

That is, the integrated storage management device supporting a hierarchical structure according to an embodiment of the present invention can store encrypted data according to the characteristics of the data in public cloud storage, and store metadata related to the encrypted data in the on-premises storage. have.

An integrated storage management device supporting a hierarchical structure can reduce the risk of data leakage by dividing and storing data.

Data communication protection can ensure high-reliability data transmission through SSL/TLS-based encryption when communicating between on-premises storage and public cloud storage. Data encryption can provide three types of AES (128, 192, 256) for encryption of data stored in back-end storage.

Since the integrated storage management device supporting a hierarchical structure encrypts and stores in public cloud storage in a predefined format, applications on the public cloud storage cannot provide services using the data.

To solve this problem, the public cloud can run a virtual CiS appliance connected to an integrated storage management device supporting a hierarchical structure.

The virtual CiS appliance can operate as a master-slave structure through clustering with an on-premises CiS system, and can perform the same procedure for accessing data from backend storage.

If the public cloud is an application capable of interworking with CiS, it can provide application services by using data stored by CiS.

In this case, if the public cloud is an application capable of interworking with an integrated storage management device supporting a hierarchical structure, an application service may be provided by using data stored by an integrated storage management device supporting a hierarchical structure.

On the contrary, public cloud and remote systems that provide applications that are not linked to CiS cannot access the data format and structure stored through CiS, so application services for data stored in the backend may be limited at the application level.

33 is an operation flow diagram illustrating a method for managing integrated storage supporting a hierarchical structure according to an embodiment of the present invention.

Referring to FIG. 33, in the integrated storage management method supporting a hierarchical structure according to an embodiment of the present invention, storages may be firstly layered (S510).

That is, in step S510, storages included in the public cloud storage and the on-premises storage may be layered according to storage characteristics.

In this case, in step S510, the storages may be classified and managed into a performance class layer, a capacity class layer, and a storage class layer.

In this case, in step S510, memory and flash storage may be managed in a performance level layer.

In this case, in step S510, the on-premises storage may be managed in a capacity class layer.

In this case, in step S510, the public cloud storage may be managed in the storage level layer.

In the integrated storage management method supporting a hierarchical structure according to an embodiment of the present invention, data may be stored according to storage characteristics (S520).

That is, in step S520, data may be stored in hierarchical storages according to the storage characteristics.

In this case, in step S520, data managed in the storage of the performance level layer may be stored using the read cache and the write cache.

In this case, in step S520, the location of the stored data using the write cache may be stored as metadata.

In this case, in step S520, a hash value of the stored data may be calculated using a read cache, and the data and the hash value may be stored in pairs.

In this case, in step S520, a time at which data managed in the storage of the capacity class layer and the storage class layer is recorded may be identified, and a log may be recorded according to the time.

In this case, in step S520, information about the time may be added to the end of the log.

The integrated storage management method supporting a hierarchical structure according to an embodiment of the present invention may store data according to data characteristics (S530).

That is, in step S530, data may be stored in hierarchical storages according to the characteristics of the data.

At this time, step S530 may perform separate storage of metadata, data communication protection, and data encryption.

In this case, in step S530, encrypted data according to data characteristics may be stored in public cloud storage, and metadata related to the encrypted data may be separated and stored in on-premises storage.

In this case, in step S530, when communication between the on-premises storage and the public cloud storage, high-reliability data transmission may be ensured through SSL/TLS-based encryption. Data encryption can provide three types of AES (128, 192, 256) for encryption of data stored in back-end storage.

In this case, in step S530, the public cloud storage may provide an application service by accessing data in the on-premises storage using a virtual appliance.

Referring to FIG. 13, an integrated storage management apparatus supporting a hierarchical structure according to an embodiment of the present invention may be implemented in a computer system 1100 such as a computer-readable recording medium. The computer system 1100 includes one or more processors 1110, a memory 1130, a user interface input device 1140, a user interface output device 1150, and a storage 1160 in communication with each other through a bus 1120. I can. Further, the computer system 1100 may further include a network interface 1170 connected to the network 1180. The processor 1110 may be a central processing unit or a semiconductor device that executes processing instructions stored in the memory 1130 or the storage 1160. The memory 1130 and the storage 1160 may be various types of volatile or nonvolatile storage media. For example, the memory may include a ROM 1131 or a RAM 1132.

An integrated storage management apparatus supporting a hierarchical structure according to an embodiment of the present invention includes one or more processors 1110 and an execution memory 1130 for storing at least one program executed by the one or more processors 1110, and , The at least one program layered storages included in public cloud storage and on-premises storage according to storage characteristics, stores data in tiered storages according to the storage characteristics, and layered storage according to the characteristics of the data Data can be stored in the field.

In this case, the at least one program may classify and manage the storages into a performance class tier, a capacity class tier, and a storage class tier.

In this case, the at least one program may manage memory and flash storage in a performance level layer.

In this case, the at least one program may manage on-premises storage in a capacity class layer.

In this case, the at least one program may manage public cloud storage in a storage level layer.

In this case, the at least one program may use a read cache and a write cache to store data managed in a storage of a performance level layer.

In this case, the at least one program may store the location of the stored data as metadata using a write cache.

In this case, the at least one program may calculate a hash value of stored data using a read cache, and store the data and the hash value in pairs.

In this case, the at least one program may identify a time at which data managed in the storage of the capacity class layer and the storage class layer is recorded, and record a log according to the time.

In this case, the at least one program may add information about the time to the end of the log.

In this case, the at least one program may store data in hierarchical storages according to the characteristics of the data.

In this case, the at least one program may separately store metadata, protect data communication, and encrypt data.

In this case, the at least one program may store encrypted data according to data characteristics in public cloud storage, and separate and store metadata related to the encrypted data in on-premises storage.

In this case, the at least one program may guarantee high-reliability data transmission through SSL/TLS-based encryption when communicating between the on-premises storage and the public cloud storage. Data encryption can provide three types of AES (128, 192, 256) for encryption of data stored in back-end storage.

In this case, the public cloud storage may provide an application service by accessing the data of the on-premises storage using a virtual appliance in the at least one or more programs.

As described above, the apparatus and method for managing a hierarchical structure supporting an integrated storage according to an embodiment of the present invention are not limited to the configuration and method of the embodiments described as described above, but the embodiments are variously modified. All or part of each of the embodiments may be selectively combined and configured so that this can be achieved.

10: user client device 20: unified storage
21: cloud storage 22: non-cloud storage
100: integrated storage management device 110: storage connection
111: virtual block device service engine
112: File system service engine
113: Object storage service engine
120: data manipulation unit 121: in-memory namespace block
122: read cache unit 122a: data deduplication engine
123: write cache unit 123a: data transaction log unit
124: In-memory deduplication engine
125: in-memory data compression engine
130: data distribution and storage unit 131: data compression block
132: data distribution block
140: backend storage management unit 150: provisioning and policy management unit
141: data management unit 142: backend interface proxy unit
143: backend management unit 144: namespace management unit
145: local backend interface management unit
146: Global backend interface management unit
1100: computer system 1110: processor
1120: bus 1130: memory
1131: ROM 1132: RAM
1140: user interface input device
1150: user interface output device
1160: storage 1170: network interface
1180: network
2010: client device 2100: sensitive data processing device
2110: data unprotected area processing unit
2111: sensitive data transmission unit 2112: key transmission unit
2113: sensitive data service calling unit 2114: client service API unit
2120: data protection area processing unit
2121: sensitive data service gateway unit
3211: Sensitive data storage endpoint
3212: Keystore endpoint 3213: Sensitive data service endpoint
3214: Sensitive data processing execution unit
2122: sensitive data storage unit 2123: key storage unit
2123a: tag-key storage unit 2124: sensitive data decryption unit
2125: sensitive data processing unit 2126: service argument copy unit
2127: processing result copy unit
2128: data unprotected memory area processing unit
2129: data protection memory area processing unit
2200: cloud unified storage device
2210: encryption unit 2220: key storage unit
2230: on-premises storage 2240: cloud storage

Claims (20)

One or more processors; And
An execution memory storing at least one program executed by the one or more processors;
Including,
The at least one program is
Tiering storage included in public cloud storage and on-premises storage according to storage characteristics,
Stores data in tiered storages according to the storage characteristics,
An integrated storage management device supporting a hierarchical structure, characterized in that storing data in hierarchical storages according to the characteristics of the data. The method according to claim 1,
The at least one program is
An integrated storage management apparatus supporting a hierarchical structure, characterized in that the storages are classified and managed into a performance class tier, a capacity class tier, and a storage class tier according to the storage characteristics. The method according to claim 2,
The at least one program is
Manage memory and flash storage in the performance class layer,
Manage the on-premises storage in the capacity class tier,
An integrated storage management device supporting a hierarchical structure, characterized in that the public cloud storage is managed at the storage level layer. The method of claim 3,
The at least one program is
An integrated storage management device supporting a hierarchical structure, characterized in that to store data managed in the storage of the performance class layer by using a read cache and a write cache. The method of claim 4,
The at least one program is
An integrated storage management device supporting a hierarchical structure, characterized in that the location of the data stored using the write cache is stored as metadata. The method of claim 4,
The at least one program is
An integrated storage management device supporting a hierarchical structure, characterized in that the hash value of the stored data is calculated using the read cache, and the data and the hash value are stored in pairs. The method of claim 3,
The at least one program is
An integrated storage management apparatus supporting a hierarchical structure, characterized in that it identifies a time at which data managed in the storage of the capacity class layer and the storage class layer is recorded, and records a log according to the time. The method of claim 7,
The at least one program is
An integrated storage management apparatus supporting a hierarchical structure, characterized in that information about the time is added to an end portion of the log. The method according to claim 1,
The at least one program is
And storing the data in the public cloud storage according to the characteristics of the data, and separately storing the other data related to the data in on-premises storage. The method of claim 9,
The public cloud storage device for hierarchical structure support, characterized in that the access to the data stored in the on-premises storage associated with the metadata using a virtual appliance.
Tiering storage included in public cloud storage and on-premises storage according to storage characteristics, In the hierarchical structure support integrated storage management method of the hierarchical structure support integrated storage management device,
Tiering storages included in public cloud storage and on-premises storage according to storage characteristics;
Storing data in hierarchical storages according to the storage characteristics; And
Storing data in hierarchical storages according to the characteristics of the data;
Hierarchical structure support integrated storage management method comprising a. The method of claim 11,
The layering step is
A method for managing integrated storage supporting a hierarchical structure, comprising classifying and managing the storages into a performance class tier, a capacity class tier, and a storage class tier according to the storage characteristics. The method of claim 12,
The layering step is
Manage memory and flash storage in the performance class layer,
Manage the on-premises storage in the capacity class tier,
An integrated storage management method supporting a hierarchical structure, characterized in that the public cloud storage is managed in the storage class layer. The method of claim 13,
Storing data in tiered storages according to the storage characteristics is
A method for managing a hierarchical structure supporting a hierarchical structure, comprising storing data managed in the storage of the performance class layer by using a read cache and a write cache. The method of claim 14,
Storing data in tiered storages according to the storage characteristics is
An integrated storage management method supporting a hierarchical structure, characterized in that the location of the data stored using the write cache is stored as metadata. The method of claim 14,
Storing data in tiered storages according to the storage characteristics is
A method for managing a hierarchical structure supporting a hierarchical structure, comprising calculating a hash value of data stored using the read cache, and storing the data and the hash value in pairs. The method of claim 13,
Storing data in tiered storages according to the storage characteristics is
A method for managing a hierarchical structure supporting a hierarchical structure, comprising: identifying a time at which data managed in the storage of the capacity level layer and the storage level layer is recorded, and recording a log according to the time. The method of claim 17,
Storing data in tiered storages according to the storage characteristics is
An integrated storage management method supporting a hierarchical structure, characterized in that information about the time is added to an end portion of the log. The method of claim 11,
Storing data in tiered storages according to the characteristics of the data
And storing the data in the public cloud storage according to the characteristics of the data, and separately storing the other data related to the data in on-premises storage. The method of claim 19,
Storing data in tiered storages according to the characteristics of the data
The public cloud storage, a hierarchical structure support integrated storage management method, characterized in that the access to the data stored in the on-premises storage associated with the metadata using a virtual appliance.

Images